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Abstract 


We introduce a library called CSP-Agda for representing processes in the 
dependently typed theorem prover and interactive programming language 
Agda. We will enhance processes by a monad structure. The monad struc¬ 
ture facilitates combining processes in a modular way, and allows to define 
recursion as a direct operation on processes. Processes are defined coinduc- 
tively as non-well-founded trees. The nodes of the tree are formed by a an 
atomic one step relation, which determines for a process the external, internal 
choices, and termination events it can choose, and whether the process has 
terminated. The data type of processes is inspired by Setzer and Hancock’s 
notion of interactive programs in dependent type theory. The operators of 
CSP will be defined rather than atomic operations, and compute new ele¬ 
ments of the data type of processes from existing ones. 

The approach will make use of advanced type theoretic features: the use 
of inductive-recursively defined universes; the definition of coinductive types 
by their observations, which has similarities to the notion of an object in 
object-oriented programming; the use of sized types for coinductive types, 
which allow coinductive definitions in a modular way; the handling of hni- 
tary information (names of processes) in a coinductive settings; the use of 
named types for automatic inference of arguments similar to its use in tem¬ 
plate Meta-programming in C++; and the use of interactive programs in 
dependent type theory. 

We introduce a simulator as an interactive program in Agda. The simula¬ 
tor allows to observe the evolving of processes following external or internal 
choices. Our aim is to use this in order to simulate railway interlocking 
system and write programs in Agda which directly use CSP processes. 

Then we extend the trace semantics of CSP to the monadic setting. We 
implement this semantics, together with the corresponding refinement and 
equality relation, formally in CSP-Agda. In order to demonstrate the proof 
capabilities of CSP-Agda, we prove in CSP-Agda selected algebraic laws of 
CSP based on the trace semantics. Because of the monadic settings, some 
adjustments need to be made to these laws. 

Next we implement the more advanced semantics of CSP, the stable fail¬ 
ures semantics and the failures divergences infinite traces semantics (FDI), in 
CSP-Agda, and define the corresponding refinement and equality relations. 
Direct proofs in these semantics are cumbersome, and we develop a tech¬ 
nique of showing algebraic laws in those semantics in an indirect way, which 
is much easier. We introduce divergence-respecting weak bisimilarity and 
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strong bisimilarity in CSP-Agda, and show that both imply equivalence with 
respect to stable failures and FDI semantics. Now we show certain algebraic 
laws with respect to one of these two bisimilarity relations. As a case study, 
we model and verify a possible scenario for railways in CSP-Agda and in 
standard CSP tools. 
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"■Introduction 


1.1 Motivation 

The starting point of this work was the modelling of processes of the Euro¬ 
pean Railway Train Management System (ERTMS) in the process algebra 
CSP. Having expertise in modelling railway interlocking systems in Agda 
(PhD project by Kanso [2012], Kanso and Setzer [2014]), we thought that an 
interesting step forward would be to model CSP in the interactive theorem 
prover and dependently typed programming language Agda. Our aim was 
to simulate railway interlocking system and write programs in Agda, which 
directly use CSP processes. A first step towards this project was the de¬ 
velopment of the library CSP-Agda fgried and Setzer [2016a,b]. CSP-Agda 
represents CSP processes coinductively and in monadic form. In CSP-Agda 
a monadic extension of CSP was developed, which is based on the 10 monad. 
The 10 monad allows to development of programs in a modular way using the 
bind construct. Interactive programs return a value when they terminate. 
The bind construct allows to sequentially compose a program with return 
value with a program, which depends on that return value. 

The purpose of this thesis is to introduce CSP semantics in Agda, and 
carry out proofs of algebraic laws and of properties of example processes in 
CSP-Agda. 


1.2 CSP 

Communicating Sequential Processes (CSP) Hoare [1978], Roscoe [1998] is a 
formal specification language which was developed in order to model concur¬ 
rent systems through their communications. It was developed by Hoare in 
1978 Hoare [1978]. It is a member of the family of process algebras. 

Process algebras are one of the most important concepts for describing 
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1.3. The 10 Monad in Agda 
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concurrent behaviours of programs. CSP has been used for modelling indus¬ 
trial systems and is supported by several industrial strength tools. Therefore, 
we thought that it would be of great benefit to integrate CSP into the the¬ 
orem prover and dependency typed programming language Agda, in order 
to develop a methodology for programming concurrent systems in dependent 
type theory. This would allow as well to prove properties such as safety and 
liveness of CSP-processes in Agda, and to integrate tools for CSP into Agda. 


1.3 The IO Monad in Agda 

The model of CSP in Agda we are developing is essentially a variant of the 
10 monad which was formulated in Agda. In functional programming a lot 
of work has been invested in developing concepts for defining interactive, 
usually sequential programs. The main approach is Moggi’s 10 monad. The 
10 monad was developed by Moggi [1991]. It was pioneered by Wadler and 
Peyton Jones (Wadler [1990, 1995], Peyton Jones and Wadler [1993], Wadler 
[1998, 1997]) as a paradigm for representing 10 in functional programming, 
especially Haskell. Hancock and Setzer [2000a, 1999, 2000b] have developed 
a version of the IO monad in dependent type theory, which for the sake 
of brevity we call in this thesis HS-monad. The HS-monad has been used 
together with other ideas for formalising IO in Idris (Brady [2008, 2013]). 
The HS-monad is now integrated into the standard library of Agda (Agda 
Community [2017a]) and into Idris. The HS-monad covers currently only 
sequential programs. In this thesis we explore the representation of processes 
in dependent type theory as a step towards concurrent interactive programs 
in dependent type theory. 

The idea of the IO monad is that an element of (10 A) is an interactive 
program, which may or may not terminate, and if it terminates returns an 
element of type A. We can use the monadic bind to compose a p : 10 A with a 
function/ : A —> 10 B to form an element of (10 B). The program is executed 
by first running p. If p terminates with result a, one continues running 
(/ a). Using nicely defined syntactic constructs, one can write sequences 
of operations in a way which looks similar to sequences of assignments in 
imperative style programming languages. 

The IO monad has been used to develop interfaces and objects in object- 
based programming: Objects are server side interactive programs, which 
receive as commands method calls and return the result of this method call. 
Anton Setzer [2006] has used this approach in order to develop the notion 
of objects in dependent type theory. Together with Abel and Adelsberger 
(Abel et al. [2017]), he has extended this substantially to the library ooAgda 
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(Abel et al. [2016]) for objects in Agda. This library includes state dependent 
objects, server-side programs, and correctness proofs. It was used in order 
to develop graphical user interfaces in Agda. 

We will present as well an executable interactive program in Agda, which 
simulates processes. Our vision is to use this approach for writing concurrent 
programs in Agda, similarly to as it is done in the Java library JCSP (Welch 
et al. [2007]). The main example we are investigating are processes in the 
context of the European Rail Traffic Management System (ERTMS [2013]), 
for which, as mentioned before, we have carried out some initial modelling in 
CSP. Our vision is that prototypes can be executed in Agda directly. Other 
examples one can envisage is to develop programs for networking in Agda. 


1.4 Monadic Processes 

In this thesis we introduce a new concept to process, namely that of a monadic 
processes which when terminating returns a value. This means that pro¬ 
cesses, when they terminate, return as well a return value. This facilitates 
the combination of processes in a modular way. We can take one process 
with return values of a given type, which call A, and another process which 
depends on A and has a return value of another type, say B, i.e. a function 
from A to processes with return value B. The monadic composition would 
first operate like the first process. If it returns with value a : A, the process 
operates like the second process instantiated with a. 

An example would be a vending machine. We could define a first process 
corresponding to the insertion of money until a key is pressed. The return 
value would be the amount of money inserted, and the key pressed. Depend¬ 
ing on this data, a second process can be defined, which finalises (or cancels) 
the vending process depending on the return value of the first process. The 
full vending machine is the result of combining those two processes using 
monadic bind. 

The HS-monad reduces the 10 monad to coinductively defined types. An 
element of (10 A) is either a terminated program, or it is node of a non-well- 
founded tree having as label a command to be executed, and as branching 
degree the set of responses the real world gives in response to this command. 
In CSP-Agda we will model processes in a similar way. A CSP-Agda process 
can either terminate, returning a result. Or it can be a tree branching over 
external and internal choices, 1 where for each such choice a continuing process 
is given. So instead of forming processes by using high level operators, as it 

1 There will be as well termination events, which we will discuss when introducing 
CSP-Agda. 
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is usually done in process algebras, our processes are given by these atomic 
one step operations. The high level operators are defined operations on these 
processes. 

Since processes are defined coinductively, we can introduce processes di¬ 
rectly corecursively without having to use the recursion combinator. Abel, 
Pientka, Thibodeau and Setzer have (in Abel et al. [2013], Setzer et al. [2014]) 
developed the notion of coinductive types as being defined by their elimina¬ 
tion rules or observations. This notion has now been implemented in Agda. 
This has strong similarity to the notion of classes and objects in object ori¬ 
ented programming. Classes are essentially defined by their methods, and 
therefore given by their observations. Setzer, Abel and Adelsberger have 
used this approach in order to develop the notion of objects in dependent 
type theory (Setzer [2006], Abel et al. [2017]). In CSP-Agda we will make 
extensive use of this approach. Using a record type, we access directly for 
non-terminating processes the choice sets and corresponding snbprocesses. It 
turns out that this makes programming with processes much easier, since it 
avoids the use of auxiliary functions. 

We will make extensive use of sized types as introduced by Abel [2016] 
in Agda in the context of coinductive types. The main reason is that in 
its puristic form, primitive corecursion or guarded recursion doesn’t allow 
to apply any functions to the corecursion hypothesis. With sized types size 
preserving functions can be applied and therefore coinductive programs be 
written in a modular way. 

The index sets of processes will be given by universes, which are defined 
inductive-recursively as in Dybjer and Setzer [2003]. 


1.5 Proofs of Correctness of CSP-processes 
in Agda 

Having developed processes in Agda, the next step is to prove properties 
about them. This requires developing CSP-semantics in CSP-Agda. In this 
thesis, we will introduce three main semantics of CSP into CSP-Agda: the 
traces, the stable failures, and the failures, divergences and infinite traces 
(FDI) model. Since we need to take care of return values and since we have 
a new notion of terminated processes, special considerations are needed. In 
trace semantics, return values need to be added to terminating traces. The 
algebraic laws of CSP need to be adapted as well to deal with the difference 
in return values. We will give examples of proofs in CSP-Agda. We note 
here that when proving equalities we refer to the equalities in the various 
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semantic models of CSP such as trace semantics, stable failures semantics 
etc, not with respect to the intensional equality type. We will define those 
semantic equalities as types in CSP-Agda. 


1.6 Main Achievements 

We aim to implement the process algebra CSP in dependent type theory 
specifically in theorem prover Agda. Specifically, we have achieved the fol¬ 
lowing: 

• We introduced a library called CSP-Agda for representing processes 
in the dependently typed theorem prover and interactive programming 
language Agda. We enhanced processes by a monad structure. The 
monad structure facilitates combining processes in a modular way. Pro¬ 
cesses are defined coinductively as non-well-founded trees. This allows 
to define recursion as a direct operation of processes. The nodes of the 
tree are formed by an atomic one step relation, which determines for 
a process the external, internal choices, and termination events it can 
choose, and whether the process has terminated. The operators of CSP 
are defined rather than atomic operations,and compute new elements 
of the data type of processes from existing ones. We defined primi¬ 
tive processes such as STOP, SKIP and Div. Other operators such as 
prefix, external choice, internal choice, hiding, renaming, parallel, in¬ 
terleaving, interrupt and sequential composition are defined in Agda as 
well. 

• We have written a simulator in Agda. The simulator displays the pro¬ 
cess as a string. Then it computes and displays the set of /-events and 
their results, and of external and internal choices together with their 
labels, and allows the user to follow external and internal choices to 
continue with the next process obtained. This simulator is written in 
the same language Agda in which proofs about processes are carried 
out, avoiding any translations between different languages. 

• We have extended the trace semantics of CSP to the monadic set¬ 
ting. We implement this semantics, together with the corresponding 
refinement and equality relation, formally in CSP-Agda. In order to 
demonstrate the proof capabilities of CSP-Agda, we have proven in 
CSP-Agda selected algebraic laws of CSP based on the trace seman¬ 
tics. We have as well shown correctness properties for a case study in 
the railway domain. 
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• We have implemented the stable failures and failures, divergences and 
infinite traces (FDI) semantics in Agda and defined the corresponding 
refinement and equality relations. Because of the monadic setting, some 
adjustments needed to be made to the algebraic laws. As an example, 
we prove that refinement with respect to stable failures semantics is a 
partial order. 

• We have extended the library CSP-Agda by implementing strong bisim¬ 
ilarity in order to facilitate proofs of algebraic properties for the trace 
and stable failure semantics. 

• We have as well implemented divergent-respecting weak (DRW) bisim¬ 
ilarity in Agda. We have shown that strong bisimilarity implies DRW 
bisimilarity, and both imply equivalence with respect to trace seman¬ 
tics, stable failures semantics and FDI semantics. This allows to carry 
out more easily proofs of algebraic properties in these semantics by 
showing first strong or DRW bisimilarity, and then obtaining directly 
equivalence in the other semantics. As an example, we apply this 
methodology to prove algebraic laws according to this semantics: We 
prove commutativity of the interleaving and external choice operators 
and prove two monadic laws. 

• We have carried out a case study of modelling an example from the 
railway domain in CSP. We used the FDR tools to check this model 
is free from deadlock, livelock, and to prove certain refinement state¬ 
ments. We used ProBE and CSP-Agda to simulate the possible sce¬ 
nario railway model, and proved as well refinement statements directly 
in CSP-Agda. 

1.7 Thesis Outline 

The remainder of this thesis is outlined as follows: 


Chapter 2 introduces and reviews the process algebra CSP and presents 
its syntax, various semantics. We will as well discuss tool support for CSP. 


Chapter 3 gives an overview of Agda. We will briefly present the main 
features of the theorem prover Agda, and discuss as well the reasons for 
choosing Agda for this project. 
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Chapter 4 gives an overview of related work presented in seven parts. 
First (Sect. 4.1), we give an overview of using formal methods in an indus¬ 
trial environment. Then (Sect. 4.2) we present related work regarding using 
process algebra in order to model and verify industrial strength systems. In 
Sect. 4.2.1, we discuss work related to CSP. In Sect. 4.3, we give an overview 
of theorem provers. In Sect. 4.4, we start to investigate work on using func¬ 
tional programming for defining processes algebras. In Sect. 4.5, we present 
work on defining process algebra in dependent type theory. In Sect. 4.6 work 
on defining process algebras in a coalgebraic manner is presented. In the 
following section 4.7, we investigate work on using the theorem prover Agda 
as a platform for modelling and verifying systems. 


In Chapter 5 we introduce the library CSP-Agda for representing pro¬ 
cesses in the dependency typed theorem prover and interactive program¬ 
ming language Agda. We will introduce the operators of CSP in Agda in 
that chapter. 


In Chapter 6 we introduce a simulator for CSP processes in Agda (called 
CSP-Agda-Simulator). This will be an interactive program in Agda. The 
simulator allows to explore the evolving of processes following external or 
internal choices. 


In Chapter 7 we introduce trace semantics for CSP in Agda. This re¬ 
quires modifications to adjust trace semantics to the monadic setting. We 
implement this semantics, together with the corresponding refinement and 
equality relation, formally in CSP-Agda. To demonstrate the proof capa¬ 
bilities of CSP-Agda, we prove in CSP-Agda selected algebraic laws of CSP 
based on the trace semantics. Because of the monadic settings, some adjust¬ 
ments have made to these laws. All proofs and definitions have been type 
checked in Agda. 


In Chapter 8 we implement stable failures semantics in CSP-Agda and de¬ 
fine the corresponding refinement and equality relations. As before, because 
of the monadic setting, some adjustments need to be made. 


In Chapter 9 we introduce as well failures, divergences and infinite traces 
semantics in CSP-Agda. As an example, we prove refinement with respect 
to stable failures semantics is a partial order. 
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In Chapter 10 we introduce strong and weak bisimulation and show that 
it implies trace and stable failure equivalence. As an example, we apply this 
methodology to prove algebraic laws for this semantics. 

In Chapter 11 we present an example showing the use of the CSP-Agda. 
We model a small example of a railway interlocking system with three com¬ 
ponents, namely, Train, Signals and Segment. In the first stage, we model 
this scenario in CSP using ProBE tools, and verify this model against dead¬ 
lock, livelock, and a refinement statement using the FDR 2 tool. It turns out 
that this model (which was deliberately chosen to demonstrate how mistakes 
can be detected) is not safe. Therefore we correct it and show that it is 
now correct using Probe and CSP-Agda. Finally, in Chapter 12 and 13 we 
summarise our work, and summarise future work related to this thesis. 


1.8 Published Material 

The work shown in this thesis is based on a sequence of publications at several 
conferences and workshops, coauthored by the originator of this thesis. These 
publications include: 

1.8.1 Refereed Publications 

Programming With Monadic CSP-style Processes in Dependent 
Type Theory (Igried and Setzer [2016a]). This article presents a first 
attempt to give the type theoretic interactive theorem prover Agda the abil¬ 
ity to model concurrent programs by representing the process algebra CSP 
in monadic form. The set of processes forms a monad (Process A), which 
depends on a set A. This allows to define a dependent composition (monadic 
bind) and a dependent loop construct rec for processes. In this paper, we 
define processes coinductively. The termination checker of Agda guarantees 
productivity of processes. This allows defining processes recursively without 
having to reduce them to the recursion combinator. The processes in this pa¬ 
per are formed from an atomic one step iteration. The operators of CSP are 
defined operations, which combine processes defined from atomic operations. 
The paper also introduces a simulator as an interactive program in Agda. 
The simulator allows observing the evolving of processes following external 
or internal choices. The goal was to write programs in Agda which directly 
use CSP processes. The intended application domain is the simulation of 
railway interlocking system. Chapter 5 is mainly based on the results of this 
paper. 
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Trace and Stable Failures Semantics for CSP-Agda (Setzer and 
Igried [2017]). This paper reports on the continued development of a for¬ 
malisation of the process algebra CSP in Agda. Compared to the work 
reported in the previous paper, this paper adds a formalisation of trace and 
stable failures semantics of the process algebra CSP in CSP-Agda. In CSP- 
Agda, CSP processes are in monadic form, which supports a modular de¬ 
velopment of processes. We introduce a variant of the definition of a trace, 
which records the process we obtain after following that trace. In this paper, 
we define as well the corresponding refinement and equality relations. As an 
instance, we prove commutativity of the external choice operator with re¬ 
spect to the trace semantics in CSP-Agda, and that refinement with respect 
to stable failures semantics is a partial order. All proofs and definitions have 
been type checked in Agda. Chapter 8 is mainly based on the results of this 
paper. 

Defining Trace Semantics for CSP-Agda (Igried and Setzer [2018]). 

This paper is based on the library CSP-Agda, to which we have the trace 
semantics of CSP, an adjusted it to a monadic setting. Since in CSP-Agda 
processes are monadic, we need to record, in case a process has terminated 
after following a trace, the return value of this process. We implement this 
semantic, together with the corresponding refinement and equality relation, 
formally in CSP-Agda. We demonstrate the proof capabilities of CSP-Agda, 
by proving in CSP-Agda selected algebraic laws of CSP based on the trace 
semantics. 

The examples covered in this paper are the laws of refinement, commu¬ 
tativity of interleaving and parallel, and the monad laws for the monadic 
extension of CSP. All proofs and definitions have been type checked in Agda. 
Additional proofs of algebraic laws will be available in this thesis. Chapter 
7 is mainly based on the results of this paper. 

1.8.2 Refereed Short Papers 

Modelling and Verification of RBC Handover Using CSP (Igried 
[2014]). In this paper, we are using the process algebra of communicat¬ 
ing sequential processes (CSP) for modelling and verifying the RBC/RBC 
Handover. We used the FDR2 model checker to verify that it is free from 
Deadlock and Livelock. 

Representing the Process Algebra CSP in Type Theory (Igried 
and Setzer [2016d]). In this paper introduce the library CSP-Agda. This 


o- 


o 



14 


1.8. Published Material 


o-o 

was the first step towards defining the process algebra CSP in Agda. CSP 
processes are implemented coinductively (or coalgebraically). Later in Igried 
and Setzer [2016a] we enhanced processes by defining them in monadic way. 

Defining Trace Semantics for CSP-Agda (Igried and Setzer [2016c]). 

In this paper, we gave the first definition of trace semantic for CSP-Agda. 
Then we showed how to prove algebraic laws of CSP in Agda using this 
semantics. 

Strong Bisimilarity Implies Trace Semantics in CSP-Agda (Igried 
and Setzer [2016e]). In this paper, we extend the library CSP-Agda with 
two semantics in order to prove properties of safety critical systems. We 
present trace semantics in the theorem prover Agda, together with the cor¬ 
responding refinement and equality relation. To facilitate proofs of algebraic 
properties for this semantics, we introduce strong bisimilarity and show that 
it implies trace equivalence. As an example, we apply this methodology to 
commutativity of interleaving. 

1.8.3 Papers in Preparation 

Defining Strong Bisimulation for CSP-Agda. In this upcoming paper, 
we will define strong bisimulation and prove that strong bisimilarity implies 
trace semantics in CSP-Agda. We apply this methodology to the proof of 
algebraic laws according to the stable failures and trace model. Chapter 10 
is mainly based on the results of this paper. 

Weak Bisimilarity Implies Trace Semantics in CSP-Agda. In this 
paper, we will define divergent respecting weak bisimulation and prove that 
this form of weak bisimulation implies trace semantics in CSP-Agda. We 
apply this methodology to prove algebraic laws according to the trace model. 
Chapter 10 is mainly based on the results of this paper. 

Weak Bisimilarity Implies Stable Failures Semantics in CSP-Agda. 

In this paper, we will prove that weak bisimulation implies stable failures 
semantics. This methodology facilitates the proof of algebraic laws with 
respect to stable failures semantics. Chapter 10 is mainly based on the 
results of this paper. 

Modelling and Verification of the ETCS Protocol In CSP-Agda. 

In this planned paper we will investigate processes in the context of the 
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European Rail Traffic Management System ERTMS [2013], for which initial 
modelling in CSP was carried out in Igried [2014], Our plan is that prototypes 
can be executed in Agda directly. Other examples one can envisage is to 
develop programs for networking in Agda. Chapter 11 presents a smaller 
case study, gives first result of this project. 

1.8.4 Conferences, Workshop & talk 

Attendance of workshop with refereed contributed talk at 26th Nordic 
Workshop on Programming Theory, NWPT T4, 19 - 31 Oct. 2014, Halm- 
stad University, Sweden. Title of talk: Modelling and Verification of RBC 
Handover Using CSP 

Attendance of workshop “BCS FACS - ProCoS Workshop on Provably 
Correct Systems”, 9-10 March 2015, London 

Attendance of 22nd International Conference on Types for Proofs and 
Programs, TYPES 2016, 23-26 May 2016. Novi Sad, Serbia. Title of talk: 
Representing the Process Algebra CSP in Type Theory. 

Attendance of Workshop on Type-Driven Development (TyDe 2016),Sun 
18 - Sat 24 September 2016 Nara, Japan. Title : Programming with monadic 
CSP-style processes in dependent type theory. 

Attendance of Workshop on Mathematical Logic and its Applications, 
Kyoto, Japan, 16 - 22 September 2016. 

Attendance of Workshop on Coalgebra, Horn Clause Logic Programming 
and Types Edinburgh, UK, 28-29 November 2016 CoALP-Ty’16. Title: 
Defining Trace Semantics for CSP-Agda. 

Attendance of 23rd International Conference on Types for Proofs and 
Programs, TYPES 2017. Title: Strong Bisimilarity Implies Trace Semantics 
in CSP-Agda. 

Attendance of Proof, Verification and Complexity Seminar, Dept of Com¬ 
puter Science, Swansea University. Title of talk “Modelling and Verification 
of RBC Handover Using CSP”, 16th Oct. 2014. 
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Attendance of SPES XT (Software Platform Embedded Systems) sum¬ 
mer school ,17-23 Sept. 2014, Twente, The Netherlands. Title of talk: 
Formal Verification of CSP. 

Talk given at JAIST, Japan ,September 2016 Kanazawa, Japan. Title: 
Programming with monadic CSP-style processes in dependent type theory. 

Talk given at Computer Science Research Away Day 9th June in the Village 
hotel, Swansea, UK, 9th June 2017. Title: Defining CSP-style processes in 
dependent type theory. 

Use of literal Agda. All displayed proofs in this thesis have been writ¬ 
ten using literal Agda (Agda Community [2017b]), which allows to combine 
Agda with DTgX code. They have been type checked in Agda. Full versions 
can be found in the repository of CSP-Agda (Igried and Setzer [2016b]). 
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Chapter 



CSP 


“Process algebras” were initiated in 1982 by Bergstra and Klop [1982] in 
order to to provide a formal semantics to concurrent systems. A “process” is 
a representation of the behaviour of a concurrent system. “Algebra” means 
that the system is dealt with in an algebraic and axiomatic way (Baeten 
et al. [2007]). Process algebras allow to study distributed or parallel systems 
in an algebraic way. Processes are formed from a collection from operator 
symbols, and axioms express the properties of the processes formed from 
operators in terms of the properties of the processes used. Most process 
algebras have basic operators to construct finite processes, synchronisation 
and parallel constructs to express concurrency, and a notion of recursion to 
obtain infinite behaviour. The basis of process algebra is that it forces an 
equational logic on process terms, such that we can say two processes are be 
equal if and only if the behaviour graphs for both processes are equal. The 
main process algebras are Calculus of Communicating Systems( CCS) (Milner 
[1982]), Communicating Sequential Processes (CSP Brookes et al. [1984]) 
and Algebra of Communicating Processes (ACP, Bergstra and Klop [1984b]), 
from which more advanced process calculi such as Milner’s 7r-calculus (Milner 
et al. [1992]) were derived. 

In this thesis we will work on CSP. The main reason for choosing CSP 
is that it has considerable tool support and seems to be the process algebra 
which is most widely used in industry. This was very beneficial when mod¬ 
elling elements of the European Train Management System ERTMS in CSP. 
We could build as well on rich expertise on CSP at the computer science 
department at Swansea University. 

The general technique of modelling processes coinductively based on a 
one step operation in a monadic way should work for other process calculi 
as well, we mainly investigated CCS where this should be possible. Some 
aspects might even simplify, since CCS doesn’t have termination events which 
turned out to be quite difficult to deal with with many subtle issues. In CCS 
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we could directly work with weak bisimilarity which is its main semantics, 
without the need to study the other semantics as in this thesis. 


2.1 Communicating Sequential Processes 

The process algebra CSP (Hoare [1978], Roscoe [1998], Schneider [1999]) 
was developed by Hoare in Hoare [1978]. CSP is a formal specification lan¬ 
guage, developed in order to describe concurrent systems by identifying their 
behaviour through their communications. CSP is a notation for studying 
processes which interact with each other and their environment. In CSP, we 
can describe a process by the way it can communicate with its environment. 
The most fundamental object in CSP is an event. Events can be external 
events, which can be observed externally and are given by a label, silent 
internal events, which are not observable from the outside, and termination 
events, corresponding to the termination of a process. The set of labels forms 
an alphabet E. A system is formed by one or more processes, where these 
processes interact with each other through their external and termination 
events. The overall system in CSP can described by specifying the behaviour 
of interacting processes. CSP has a variety of semantics which give meaning 
to the processes. 

Similar to CSP, the Calculus of Communicating Systems (CCS) notation 
Milner [1982], introduced in 1980 by Robin Milner, deals with interacting 
behaviours of the hnite state machine. In CCS processes are defined as agents 
and the behaviour of processes is defined in term of events they can perform. 
In CCS a labelled transition system is used to interpret the expressions of the 
language. Semantic equivalence is defined as bisimilarity, whereas semantic 
equivalence in CSP is based on extensions of trace semantics. The process 
algebra CCS, unlike CSP, CCS does not distinguish between external and 
internal choice operator, whereas CSP has two kind of operators for choices, 
namely the external choices operator and the internal choices operator. In 
CSP the internal event never appears in trace semantics, by contrast, internal 
events in CCS appear in the trace semantics. In CSP there is a process STOP 
which represents deadlock and a process SKIP which represents successful 
termination. On the other hand, CCS does not distinguish between deadlock 
and successful termination. Instead it has a single “terminated” process, nil, 
which stands for both successful termination and deadlock. 

In the following we will first present the syntax of CSP and then introduce 
different semantics for it. 
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2.2 Framework of CSP 

We will first introduce the language of CSP operationally, which is defined 
in terms of how CSP processes are to be executed. By nature the language 
of CSP is denotational in nature (Schneider [1999], p. viii). Schneider in 
Schneider [1999] elucidates the language of CSP as well operationally, in 
order to obtain a better understanding of the CSP operators. There he 
introduces the transitions, events, processes, together with inference rules 
for deriving those transitions. 

2.2.1 Transitions 

The transition systems represent the behaviour of a process. Processes in 
CSP form a labelled transition system, where the one step transition is writ¬ 
ten as 


P —» Q where P, Q are processes and e is an event. 

which means that process P can evolve to process Q by event e. The event 
e can be a label, it can be the silent transition r, or it can be a termination 
event /. For example the execution of the process a —» b —> STOP can 
be described by the LTS: 

( a —> b —> STOP ) -4 (b —> STOP ) A STOP 


2.2.2 Inference rules 


The inference rules of CSP are determined by inference rules of the form 


Antecedent i ... Antecedent 

Conclusion 


(Sidecondition) 


Derivations of a transition are the derivations formed from those inference 
rules and are inductively defined. 

The operational semantics of CSP defines processes as states. Transitions 
between states are the firing rules for those processes. 


2.2.3 Events 

A system in CSP is given by its components (processes). These components 
can interact with each other or with the environment by their interfaces. For 
instance, a cassette recorder might be considered as a process. Its interface 
will include buttons like Play, Stop, Forward, Backward etc., and as well 
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the door through which the tape can be inserted. Through this interface 
the process can be interact with the users (environment). This interface is 
considered as a set of events. The set of events in a CSP process interface are 
classified as a static specification, and considered as dynamic specifications 
by describing how it behaves operationally. 1 The events in CSP represent 
interactions, and are considered to be indivisible and instantaneous. The 
events in CSP could be atomic. For instance, the interface of the last example, 
the cassette recorder, has atomic events Play, Stop, Forward, Backward, etc. 
Events in CSP can be as well compound, i.e. it can have some structure. 
For instance, consider the Automated Teller Machine (ATM) as a process, 
where the customer can enter the card and return it, by ignoring the other 
events. This can be written in CSP as having the events card.in and card. out. 
Additionally, event can have some structure by a communication channel 
which carries some information (i.e. messages). The value v communicated 
over a channel c, can be described as an event c.v in the process interface. 
For instance, consider the processes P with input channel in which can carry 
the values 0 and 1. Both values 0 and 1 carried over the channel c may 
appear in the interface of the process P as separate events in. 0 and in. 1. 
Furthermore an event can be considered as an input and output event. For 
instance, consider the following CSP expression: 


The above process is willing to output the value v over channel c, and then 
behave like a process P. The behaviour is captured by the following firing 
rule: 


{c\v ^P)^4P 

Input phenomena can be explained through the following expression: 

clx : T —>■ P(x ) 

Here a processes P(x) is defined for each x G T. The process clx : T —> 
P(x) is willing to received any value x of the type T over the channel c, and 
then behave like a process P(x). The receiving phenomena is described in 
CSP by the following firing rule: 


(c?x : T -4P(i))4PW ' ' 

1 We note here that in CSP-Agda we will index the possible events by index sets. These 
index sets will not carry any semantic meaning. 
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Besides this kind of external events, which are labelled by elements of an 
alphabet E , there are internal events labelled by r, which are internal changes 
of the state of a process. Furthermore there are termination events /, which 
will be introduced in Subsect. 2.3.1 below. 

In this thesis, we assume an alphabet E, where /,r ^ E. n will be an 
element of E'^ ,T := E U {/, r}, and a, b, c will be elements of E. 

2.3 The Syntax of CSP 

In this section we will explain each operator and give an example to illustrate 
its meaning. In the following table, we list the syntax of CSP process i.e. the 
primitive CSP processes and the CSP operations. Here Q represents CSP 
processes: 


STOP 

deadlock process 

SKIP 

terminating process 

DIV 

diverging process 

a —* Q 

event prefix process 

Q a Q 

external choice 

QnQ 

internal choice 

Q \ a 

hiding 

Q[R] 

renaming 

Q \[A\B]\ q 

alphabetised parallel 

Q III Q 

interleaving 

Q\[A]\Q 

interface parallel 

Q A Q 

interrupt 

Q ; Q 

composition 


In the above table, A and B are parameters, which represent a set of 
events that Qi e ft and Q r i g ht are respectively allowed to perform. Furthermore, 
R is a function for renaming event in the process Q. 

2.3.1 Primitive Processes 

CSP has many primitive, i.e. atomic processes. The main primitive process 
is STOP. The process STOP does not have any transition rule since it 
can not engage in any event and refuses all communication. The process 
STOP represents the deadlock process, which has no (internal or external) 
transitions. 

CSP has as well the process SKIP , which represents successful termina¬ 
tion (i.e. reached terminations). This is indicated by performing a special 
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event called the termination event /. As the / is a special event, it can not 
be a member of the alphabet of the process (i.e., it can not be appear as a 
part of prefix operator). The CSP process SKIP terminates immediately. It 
has the following rule: 


SKIP pU STOP 

Furthermore we have the diverging DIV. This process has as only tran¬ 
sition 


DIV -4 DIV 

which means it can perform an infinite sequence of r-transitions. 


2.3.2 Sequential Composition 

The sequential composition of two processes P and Q is written in CSP as 
P ; Q. The combination P ; Q behaves as P until it terminates, in which 
case it switches to Q. For instance, the process 

COMP! = a —¥ SKIP ; b —> STOP 

perform the event a followed by a b event and then behaves like a process 
STOP , i.e. it deadlocks. This process behaves as a —> b —> STOP. The 
following processes 


COMP 2 = a —¥ STOP ; b —> STOP 

behaves in different way: after performing event a the process behaves like a 
process STOP (i.e. deadlock), which never terminates successfully. Therefore 
control is never passed over to process b —> STOP , so COMP 2 behaves as 
a —¥ STOP. 

The transition rules for the sequential composition operator are as follows: 


p pUp f Ap 

P; <5 -A g p- qAp ; Q 

The sequential composition operates initially like the first process. When 
it terminated, the successful termination event becomes internal, and after 
that internal event the process behaves like Q. The process composed by 
sequential composition has only a termination event once it has reached a 
termination event of the 2nd process. 


[tj L A 
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2.3.3 Event Prefix 

The prefix operator constructs from an existing process P a process a — >P, 
pronounced in CSP ’a then P\ It has one external event a € E after which 
it behaves like P. Its behaviour is captured by the following firing rule: 


(a ~^P)^P 

This is an example of an axiom, i.e. a rule with no side conditions or 
antecedents. 

For instance, consider then process PreF which can perform only an event 
a and then behave like the process STOP having no transitions. It is given 
as follows: 


PreF = a —> STOP 


2.3.4 Recursion 

CSP uses recursive definitions in order to describe the execution of processes, 
which operate in an infinite manner. Recursive processes are introduced in 
CSP in an equational style N = P. Here N is a new name for the process 
to be defined, and P is a CSP expression which can make use of P. This 
recursive definition of processes will work only if the righthand side of the 
equation begins with at least one event prefixed to all recursive occurrences 
of the process name. A example where this condition is not fulfilled would 
be the recursive equation N = N , which doesn’t define a valid process. 
A process which begins with a prefix is called a guarded process, and if the 
right hand side of a recursive definition is a guarded processes the recursive 
definition has a unique solution. 

For example P = a —» b —» P is a process that repeats infinitely often 
an a event followed by an b. The firing rule for unwinding a process N 
recursively bound to a definition of process P is given as follows: 

pJL * P [N = P] 

N P 

The rule above states that the transitions from P are the same as those 
originating from N. We can write the process P in the form of F(N) in order 
to make the dependency on N explicit. Then we have F(Y) = P[Y/N] 
where the latter is the substitution of N by Y. As an example we have 

a —► b —> P [a —> STOP/P] = a —► b —► a —► STOP 
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2.3.5 Internal Choice 

CSP offers two kinds of operators for choices between two processes: exter¬ 
nal choice and internal choice. In external choice the operator allows the 
environment to choose an external event of P or Q, and then continue as 
process P or Q, respectively. In contrast, internal choice leaves the choice 
between processes to the process. The internal choice between processes P 
and Q is written as P \~\ Q. For this processes the process chooses non- 
deterministically to continue as P or as Q. Consider for instance the process 

IntCJH = a —» SKIP n b —> STOP 

In this case the process switches internally to either a —» SKIP or b —> 
STOP. In the first case it has only one external event, namely an o-event, 
and then behaves like SKIP (i.e. successfully termination), or it has only one 
b event then behaves like STOP (i.e. deadlock). The inference rule for the 
internal choice operator as follows: 


p n q 


p 


p n q 


Q 


As for external choice, CSP has an indexed internal operator, which take 
an arbitrary number of processes. For instance the process 


n , , X x 

xG{a b cj 


STOP 


can internally choose x = a, or x = b or x = c, and then have an external 
event labelled by x followed by the STOP process. 

The inference rule for the indexed internal choice operator is as follows: 


Pi 


P, 


IU € ./)] 


2.3.6 External Choice 

External choice between processes P and Q is written in CSP as P □ Q. 
External choice allows the environment to choose an external event of P or 
Q, and then continue as process P or Q, respectively. For instance, consider 
the process ExtCH 

ExtCH = a —> SKIP □ b —> STOP 

The ExtCH process can firstly perform one of two event a or b. If a is 
chosen it continues as SKIP , and if b is chosen it continues as STOP. The 
bring rule for the external choice are as follows: 
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PAP P^P 

P a Q -A P pnQ-^paQ 

QdpAp Qnp-^Qnp 

There exist as well a generalisation of the binary external choice operator, 
which creates the external choice over a finite number of processes indexed 
over an index set. The firing rules for the indexed external choice operator 
are as follows: 


Pi 


P 


A ei Pi 


P 


[j e I] 


Pi 


Pi 


P i- 


Pi 


\j G I] 


2.3.7 Parallel and Interleaving 

CSP has several parallel operator which enforce a number of processes to work 
together and interact through synchronous events. When the participants en¬ 
gage in the synchronous events, synchronisation occurs simultaneously, which 
is like a a handshake, and therefore called handshake synchronisation. In the 
following we will explain the most important parallel operators together with 
examples. 


Alphabetised Parallel 

The alphabetised parallel operator of CSP depends on alphabets A, B for 
the two processes P, Q operating in parallel. When put in parallel, process 
P can only perform events in A and process Q can only perform events in 
B. Furthermore, any event in A D B needs to be synchronised between P 
and Q. Silent transitions can occur individually in P and in Q, whereas the 
termination event needs to be synchronised between P and Q. The transition 
rules are as follows: 


P 


P 


Q^Q 


P \[A\B]\ Q -A P \[A\B}\ Q 


ae (du{/})n(5u{/}) ] 


--[p£(AUT)\i] 

P P|B]| Q-^P |[A|B]| Q 
Q [B | A]\ P Q |[B | A] P 

The first rule states that events in the interaction between A and B and 
termination events need to be executed by both processes simultaneously. 


o 
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The second rule allows each process to perform events, which are not in the 
alphabet of the other process and silent transitions individually. 

As an example consider 

(a— >P) |[{a}|{a,6}]| (a— >Q Ob — > Z) 

This process can perform the event a and behave as a process P \ [ {a} | {a, b} ]| 
Q, or perform the event b and behave as (a —» P) [ {a} | {a, b}]\ Z. 

Consider consider the following process: 

(a— > P) |[{a, b} | {a, b}]\ (a—■> Q Ob—> Z) 

ft cannot perform event b, since the left process cannot perform it. It can 
only perform event a and then behave as a P |[{a,6}|{a,6}]| Q. 


Interleaving 

Independent concurrent behaviour is represented in CSP by the interleaving 
operator. The interleaving of P and Q is written in CSP as P 111 Q and is 
pronounced as "P interleave Q'\ The combination P ||| Q executes processes 
P and Q independently. The only way the processes can engage with each 
other is when they terminate. The transition rules are as follows: 


p 4 p q^q 

P III Q^Up III Q 




p 

Q 


Q -A P 


A A] 


p 


Q 


Q 

P 


If P and Q have disjoint alphabets A, B , the alphabetised parallel be¬ 
haves as interleaving: If P and Q have events in A, B respectively, and 
A fl B = 0 then P \ [ A \ B ] | Q and P \ 11 Q behave in the same way. 

For instance 


P) \[{a,b}\{c,d}}\ (c 
behaves as 


Q 


P)\\\(c 


d 


Q 


O- 
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Interface Parallel 

The interface parallel operator defines the parallel operation of two processes, 
where a subset of the interface is synchronised. So the synchronised event 
can only occur when all processes are able to perform it. The operational 
semantics for the interface parallel operator is given by the following rules: 


Q-^rQ 

P\[A]\Q-^P\[A]\ Q 


a £ d U /] 


-u/] 

P\[A]\Q-^P\[A\\Q 

Q\[A\\P Q\[A\\P 

Consider for instance P = a — > b —> P, Q = a —» c —> Q. The only 
transition of P |[{o}]| Q is 

P |[{o}]| Q-4(6_>P)|[{ a }]|( C —>Q) 


After this transition it can continue in two different ways: 


(b^P)\[{a}]\(c^Q)^P\[{a}]\(c^Q)^P\[{a}]\Q 

(b^P)\[{a}]\(c^Q)^(b^P)\[{a}]\Q^P\[{a}]\Q 


2.3.8 Hiding 

The hiding operator, hides a set of events in a process, replacing them by 
internal r-transitions. The main usage is when processes communicate with 
each other, and one wants to hide these internal communications. The nota¬ 
tion in CSP for hiding is P\A pronounced "P hides A”, which hides the events 
in A from process P. Since the events are no longer visible, no other process 
can engage with them. The behaviour of the hiding operator is determined 
by the following firing rules: 


_ P 

P \ A 



P 

P \ A 


a e A] 


_ P 

P \ A 


P 

P \ A 
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For example, the protocol stop-and-wait (based on examples taken from 
Schneider [1999] Section 3.1) implements a one-place buffer as a process 
consists of two parts Sender and Receiver. When its combined through 
the parallel operator a one-place buffer is formed. A messages input to the 
Sender is passed over the channel mid to the Receiver , then the Sender 
waits for acknowledgement. The processes Sender and Receiver are specified 
as follows: 


Sender = intx —> mid\x —> ack —> Sender 
Receiver = midly —* outly —* ack —* Receiver 

The Sender reads a value of type T over channel in and binds it to the 
variable x. Afterwards this value is sent over channel mid to Receiver. When 
the message has been output, Receiver sends an acknowledgement. The 
combined behaviour is obtained by combining processes Sender and Receiver 
using the parallel operator, and then hiding the internal communications, as 
follows: 


(Sender || Receiver) \ (mid U ack ) 

In the above definition Sender and Receiver are combined using the parallel 
operator and all communication along channels mid and via event ack are 
hidden. The resulting process can be considered as a a black box regarding 
events mid and ack. Externally it can receive value over a channel in and 
output it on channel out. 

2.3.9 Renaming 

The renaming operator allows to rename the events in a process. This op¬ 
erator is useful to obtain a new process by reusing previous description of 
processes without the need for rewriting the processes in full. In the lan¬ 
guage of CSP a total bijective function (/ : E U / — * ELI/) on events is 
used to described the changing of the events, with the additional condition 
that /(/) = /. The renaming function can map external events to external 
events, but not to internal events. Termination events are not changed by 
the renaming function. The operational semantics of renaming operator is 
captured by the following transition rules: 

P ^P P^P 

f(P)^lf(P) /(P)-4/(P) 
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2.3.10 Interrupt 

The interrupt operator P A Q offers the mechanism of passing the control 
from one process to another. The difference between P A Q and sequential 
composition is the control in P A Q can pass from P to Q by interrupt at 
any time (i.e. by Q stealing control). The interrupt operator in the process 
P A Q allows the control to remain with P while the events are carried out 
by P. The moment an external event is performed by Q, the control passes 
to Q. The inference rules for the interrupt operator are as follows: 


P 




faqAfaq 


\p ± A 


p ^Up 




Q-^ Q 


PA Q -4- P A Q 


Q^Q 

P A Q Q 


2.4 The Semantics of CSP 

The main goal of a semantics for CSP is to determine whether two processes 
P and Q are equal, and whether process P refines process Q. These two 
conditions are in fact equivalent, both can be formulated in terms of the 
other, and therefore it is only necessary to define one of them in a semantics. 
CSP has different kinds of semantics: operational semantics, denotational 
semantics, and axiomatic semantics. Each semantics gives a meaning to the 
expressions. 

Operational semantics is used to create a transition system for a CSP 
process. The axiomatic semantics allows to derive facts from the derivation 
rules. It offers a set of algebraic laws to transform processes into other equal 
processes, and can be used to prove that two different processes are equal. 
Denotational semantics determines a semantic domain and for each process 
and element of this domain as its semantics. CSP has according to Schnei¬ 
der [1999] three main denotational semantics: (1) trace semantics (traces), 
(2) stable failures semantic (failures), and (3) failures, divergences, and in¬ 
finite traces semantics (failures, divergences, infinites). Apart of this there 
exist three main kind of bisimulation semantics: strong bisimulation, weak 
bisimulation, and divergence-respecting weak bisimulation. 


2.4.1 Trace Semantics 

In CSP traces of a process are the sequences of actions, i.e. the labels of 
external choices, a process can perform. We simply record the actions that 
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a process may perform. For example 

( light_on, light_off) 

is a single trace, where we firstly observe the light is on followed be the light 
is off. Since the processes in CSP are non-deterministic, a process can follow 
different traces during its execution. 

The trace semantics of a process is the set of its traces. For instance, 
consider the Bus process, in which a person may wish to board the bus, pay 
for this services, and then alight in next stop. This process is represent in 
CSP as follows (based on examples taken from Schneider [1999]): 

Bus = board.A — > (pay. 90 —> alight.B —* Stop 
□ alight.A —>• Stop ) 

The set of traces for the Bus services process is 

traces(Bus) = {(), 

(board. A), 

(board. A, pay. 90), 

(board. A, pay. 90, alight.B), 

(board.A, alight.A)} 

In CSP, a process P refines a process Q , written ( P C T Q ) if and 
only if any observable behaviour of Q is an observable behaviour of P, i.e. if 
traces(Q) C traces(P): 

Two processes P, Q are equal with respect to trace semantics, written 
P = T Q , if they refine each other, i.e. if traces(P) = traces(Q): 

2.4.2 Stable Failures Semantics 

The trace semantics refers only to the observable traces. It does not distin¬ 
guish between external and internal choice. In particular it does not tell what 
a process can refuse to do. In case of external choice, a process cannot refuse 
any of the external choices available for the subprocesses, whereas in case of 
internal choice, it can switch internally to one of the subprocesses and reach 
a state, where it can carry out only the external choices of that subprocess. 
A good example can found in chapter 8. The stable failures mode has been 
developed to take care of this problem and to distinguish between external 
and internal choice. 2 The stable failures model refers to a refusal set. A 


a 


2 See Sect. 8.5 of Roscoe [1998] for the precise history of the stable failures model. 
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refusal set is a set of events a process fails to perform, no matter how long it 
is offered. Failures in CSP are defined as a pair ( t,X ), where t G trace(P) 
and X is a refusal set for process P after performing trace t. This means 
that X is a set of labels such that after performing trace t, the processes 
can reach a state where it cannot carry out a transition with label in X. A 
failure is called a stable failure, if the resulting process with this failure set 
cannot carry out any internal transition. 

Refinement between two process in the Stable Failures semantics holds 
whenever it holds between their sets of traces and stable failures (written as 
failures (P))\ 

P C Q iff traces(Q) C traces(P) A failures(Q) C failures(P) 

2.4.3 Failures, Divergences, and Infinite Traces Seman¬ 
tics 

The stable failures model records the events that a process performs with a 
set of events a process fails to perform after a process stabilises. The stable 
failures model is not effective in analysing processes which can diverge, which 
means they have an infinite sequence of r-transitions. The stable failures 
model ignores any divergent behaviour. 

Consider for instance process P = STOP and process Q = STOP n 
DIV. the only trace for P and Q is (), the only stable state is STOP 
which refuses all events. So P and Q are equivalent with respect to the two 
previous semantics. However Q can diverge by choosing a r-transition to 
DIV, whereas P can’t. 

There are two kinds of divergent behaviour: 

• Traces that lead to a divergent state, i.e. a state where the process can 
only perform an infinite sequence of r-transitions. 

• Infinite traces in which a process can have infinitely many events, but 
may as well fork off into a divergent behaviour. 

In th eFailures/Divergences/InfiiiiteTraces model ( FDI ) of CSP, these be¬ 
haviours are introduced alongside failures information. In this approach we 
can identify a process P with the failures, divergences, and infinite traces 
that may be observed. Since this approach takes account of divergent, infi¬ 
nite behaviour and as well stable failures, it is more discriminating than the 
stable failures semantics. The first set, referred to as the stable failures set, 
consists of a pair (t,X), where t is a trace and X is a refusal set for the trace 
t. The second component is divergence, which consists of all traces which 
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leads to a divergent process. Infinite traces is the set of all infinite sequences 
of events from E, a process can perform. 

2.4.4 Semantics of Recursive Processes 

Isobe and Roggenbach [2005] gave two approaches for the underlying domain 
of the semantic domain of the stable failures semantics, in order to obtain 
fixed points of recursive processes: one is to use complete metric spaces ( cms ), 
where Banach’s theorem shows the existence of fixed points. The other one is 
to use complete partial orders, and Tarski’s theorem is used here to show the 
existence of fixed points. Whereas Banach’s theorem guarantees uniqueness 
of the fixed point, Tarski’s theorem does not guarantee uniqueness. In case 
of the traces model and divergences the least fixed point is chosen, whereas 
in case of the set of failures the largest fixed point is chosen, since this set is 
a negative property about what a process cannot do. Using induction over 
least and coinduction over largest fixed points one can show that one process 
refines another process. 

2.4.5 Bisimilarity for CSP 

The main notion for determining process equivalence in CSP is via traces, 
failures, divergences, etc. Those semantics don’t refer directly to the under¬ 
lying transition system. Other process algebras like CCS instead define the 
basic meaning of processes by using a labelled transition system (LTS). Us¬ 
ing this approach one can determine equivalence by determining, which LTSs 
behave in the same way. Several equivalences over LTSs have been suggested. 
The most fundamental one is the notion of strong bisimulation. In strong 
bisimulation, two process are considered to be equivalent, if they have the 
same set of external, silent, and termination events available immediately, by 
these events leading to processes that are themselves equivalent. We first fix 
some notation: 

Definition 2.4.1 (a) E / := E U {/} where we assume / ^ E. 

(b) E* ;/ is the set of finite sequences of events, possibly followed by a /. 

In CSP we can define strong bisimulation according to Roscoe [2010, 1998] 
as follows: 

Definition 2.4.2 (a) The relation R on the set of nodes S' of the LTS S 

is a strong bisimulation iff the following hold: 
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(c) 

Figure 2.1: Unfolding LTSs 
Roscoe [2010] 


• V P 1 ,P 2 , Qi G S'.V fi G E / -U 

5'.F 2 Aft 

• V P 1 ,P 2 ,Q 2 e S'. V fi G E / -U 

FiFF 2 a f 2 A ft ^3 fte S". Pi -A <5i a (ft i? Q 2 

(b) Bisimilarity is the largest bisimulation relation, or equivalently, the 
union of all bisimulation relations. 

In Fig 2.1 all the nodes of both systems 2.1a and 2.1b are strongly bisim¬ 
ilar. However, they are not strongly bisimilar to system 2.1c, since the sys¬ 
tem 2.1c can perform internal event (r). This reveals the main weakness 
of strong bisimulation as a technique for analysing process behaviour, since 
bisimilarity distinguishes processes which differ in invisible events, although 
such processes are observationally equivalent. Other forms of bisimulation 
for LTSs have been proposed, most of them are based on weak bisimulation. 
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Weak bisimulation varies bisimulation by demanding that, if one process can 
make a possibly empty finite sequence of r-transitions, or a possibly empty 
finite sequence of r-transitions followed by an external event followed by an¬ 
other sequence of r-transitions, or a sequence of r transitions followed by 
a termination process, then the other process can do the same (where the 
number of r-transitions might be different from the first process). It is still 
not suitable for CSP since it cannot distinguish between the primitive process 
STOP and DIV. 

Divergence-respecting weak bisimulation is a slight strengthening of weak 
bisimulation in order to fix this problem by demanding in addition to the 
conditions of weak bisimilarity that, if one process is divergent, i.e. allows an 
infinite sequence of r-transitions, the other one is divergent as well. 

In order to define it we first define the following: 

Definition 2.4.3 (a) P ft, “P is immediately divergent”, iff there exists 

a sequence (Pi)ien such that P = P 0 and V i G N .Pi —> Pi+i. 

(b) P Q iff there exists Po ,..., P m such that P 0 = P, P m = Q and events 
Xi such that Pi —'W Pi+i, and s is the sequence of r* such that Xi f r. 

So P Q means we can get from P to Q by following transitions in the 
trace s and in addition an arbitrary number of r-transitions. 

Following Roscoe [2010, 1998], we define in CSP divergence-respecting 
weak bisimulation, as follows: 

Definition 2.4.4 (a) The relation R on the set of nodes S' of the LTS S is 

divergence-respecting weak bisimulation, in short DRW-bisimulation, 
iff n R m implies the following 

• Qti) 

• V P u P 2 ,Qi e S'.V s e £*’C 

Pi R P 2 A Pi Q\ => 3 Q 2 e S'. P 2 Q 2 A Cf R Q 2 

• V P 1 ,P 2 ,Q 2 G S'.V s G T,*P. 

P 1 R P 2 A P 2 A Q 2 =► 3 Qi e S'. P 1 =» Qi A Q 1 R Q 2 

(b) Divergence-respecting weak bisimilarity, in short DRW-bisimilarity, 
is the largest DRW bisimulation, or equivalent the union of all DRW 
bisimulations. 

(c) A relation R is a weak bisimulation iff it fulfils the same conditions as 
a DRW-bisimulation, except that m n ft is not required. 

Weak bisimilarity is the largest weak bisimulation relation. 
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Remark 2 . 4.5 If we replace in Definition 2-4-4 the quantification over E *’ 7 
by £ / U {()}, we obtain an equivalent definition. 

We obtain (taken from Roscoe [2010, 1998]) the following key lemma for 
DRW-bisimulation: 

Lemma 2 . 4.6 (Key-Lemma for DRW-bisimulation) Let R be a DRW- 

bisimulation. 

• V P,P',Q e S'.V s e E*v.p R P' a P Q 

3 Q' e S' . P' Q' A Q R Q' A (stable( Q) =>• stable^')) 

• VP, P', Q' e S'. V x G E*Vp RP' A P' ^ Q' 

=>• 3 <5 G S' . P ^ Q A Q R Q' A (stable(Q') =>■ stable(Q)) 

Proof We just prove the first direction. It suffices to show 

P R Q A stable(P) => 3 Q'.Q 4 Q' A P P Q' A stable(Q') (*) 

Assume we have (*), and assume 

Pi i? P 2 A Pi 4> Qi A stable (Qi) 

Then by P being a DRW-bisimulation we obtain a Q' 2 such that 
Qi R Q 2 A P-2 => Q 2 

By (*) we get that there exists Q' 2 such that 

Q\ R. Q 2 A Q 2 ^ Q 2 A stable ( Qf) 
and therefore as well 

P2 Q 2 

We show therefore (*): By stable( Q ) we have -i( Q ft), therefore ~<(Q' ft). 
We have that for any Q" that stable(<5 // ) V 3 Q"'.Q" Q 1 ”. therefore we 

obtain a sequence 

<h= Qo^Qi^Q^--- 

which is either infinite, or ends with a Q' n which is stable. Since “>(<52 If), 
this sequence cannot be infinite. So we obtain a Q' n such that 

Q' = Q'o Q’ n A stable(<X) 
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By R being a DRW-bisimulation and Q R Q', there exists 0" such that 

Q 4 Q" A Q" R Q' n 
by Q stable, we get Q = Q". 

We note here that the above argument is classical. When formalising 
CSP-Agda, which is based on constructive logic, we formalise non-divergence 
as an inductive data type which expresses that the sequence of r-transitions 
is well founded. 

The proof of the following lemma is obvious (one easily sees that if R is 
a bisimulation, P R P' and P then P' ff): 

Lemma 2.4.7 (a) Any strong bisimulation is a DRW-bisimulation. 

(b) Any DRW-bisimulation is a weak bisimulation. 

In chapter 10 we will implement strong bisimilarity and divergent-respec¬ 
ting weak (DRW) bisimilarity in CSP-Agda. This will facilitate proofs of 
algebraic properties for trace, stable failure semantics, and FDI semantics. 
We will show that strong bisimilarity implies DRW bisimilarity, and both 
imply equivalence with respect to trace semantics, stable failures semantics 
and FDI semantics. This allows to carry out more easily proofs of algebraic 
properties in this semantics by showing first strong or DRW bisimilarity and 
then obtaining directly equivalence in the other semantics. As an example, 
we will apply this methodology to prove algebraic laws according to this 
semantics: we prove commutativity of the interleaving and external choice 
operators and prove two monadic laws. 

2.5 Tool Support 

There are three main tools that have been developed and are used to analyse 
CSP processes. In this section we are going to briefly explain these tools. 
These tool support checking of CSP syntax, checking of standard properties 
such as livelock and deadlock, checking of formulas describing properties of 
CSP and checking of the refinement relation between processes. The first 
tool is ProBE, the second one is Failures Divergences Refinement (FDR), 
and the last one is CSP-Prover. 

2.5.1 ProBE 

ProBE (Formal Systems (Europe) Ltd [2003]) allows the user to investigate 
the behaviour of CSP processes. The ProBE tool uses as language CSPm 
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which is machine readable CSP (Roscoe [1998]). ProBE allows the explo¬ 
ration of how a process develops through simulation. It presents how a 
process proceeds when making different choices, in a tree like structure. It 
displays part of how a Process develops when making different choices of 
events. Future processes can be hidden and expanded by clicking on it, or 
hidden again. 

For instance consider the following process 

Sender = mlx : T —> midlx —> ack —> Sender 
Receiver = midly : T —* out\y —» ack —» Receiver 
(Sender || Receiver ) \ (mid. T U ack ) 

Part of its exploration through the ProBE tool can be found in Fig. 2.2. 


Eila Edit Search Irace 



Figure 2.2: ProBE Tool Interface 


2.5.2 Failures Divergences Refinement (FDR) 

The FDR tool (Failures Divergences Refinement) is the first commercial avail¬ 
able tool for CSP. The FDR tool (University of Oxford [2012]) uses as ProBE 
as input language CSPm. This tool allows the checking of a wide range of 
correctness conditions, such as livelock, deadlock, and general properties as 
well as general safety and liveness properties. As an example, consider the 
example considered in the previous subsection, and the process 

(Sender || Receiver) \ (mid.T U ack) 
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Fig. 2.3 shows we can check using the FDR2 tool that the process is free 
from livelock and deadlock (using a different selection). 



Figure 2.3: FDR2 Tool Interface 


2.5.3 CSP-Prover 

This tool integrates the CSP theory with the theorem prover Isabelle/HOL 
where it is use in order to carry out refinement proofs for CSP. CSP-Prover 
(Isobe and Roggenbach [2005]) is an interactive theorem prover (Nipkow et al. 
[2002]). The interactive theorem prover Isabelle/HOL is based on ML (Milner 
[1997]). Whereas the previous tools (See 2.5.2) restrict CSP specifications 
to finite state systems, the CSP-Prover allows to prove properties of infinite 
state systems. 
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Chapter 3°- 1 

O 

“Theorem Prover Agda 


Agda is a dependently typed programming language and theorem prover. 
Types can depend on arbitrary values. This is in contrast to the functional 
programming languages Haskell and ML, which have are simply typed based 
on a Hindley-Milner style language (Milner [1978], Darnas and Milner [1982], 
Hindley [1969]), and therefore separate types and values. In this chapter, we 
give an overview of Agda version 2, see Bove et al. [2009] for a brief overview 
over Agda 2 and its history. Agda is the latest in a series of dependently 
typed programming languages Alf (Magnusson and Nordstrom [1994]), Half 
(Cederquist [1997]), CHalf (Cederquist et al. [1998]), Alfa (Thomas Hallgren 
[2017]), Agda 1 (developed by Catarina Coquand, Coquand [2009]) and Agda 
2 (Bove et al. [2009], Norcll [2009b,a], Agda Community [2017b]). 

All of them were extensions of Martin-L5f type theory (Martin-L5f [1984]). 
See the book (Nordstrom et al. [1990]) for a more computer science oriented 
introduction into Martin-L5f type. All of these theorem provers were devel¬ 
oped primarily at the University of Chalmers in Gothenburg, Sweden. The 
current version of Agda is Agda 2, the basis of which was designed and im¬ 
plemented by Ulf Norell in his PhD in 2007 (Norell [2007]). The work in 
our PhD thesis is carried out in Agda 2. Therefore all references to Agda 
in this thesis, unless stated explicitly differently, refer to Agda 2. The lan¬ 
guage of Agda is functional, however using dependent types, with lots of 
features added over time. Agda supports inductive and coinductive data 
types. Inductive data types include inductive families. Functions are defined 
for these types by using termination checked pattern and copattern match¬ 
ing (Abel et al. [2013]). One particular feature of Agda is that it supports 
induction-recursion. In induction recursion, a set is defined inductively while 
simultaneously recursively defining a function over it. This allows to define 
in particular universes, where the inductively defined type is a set of codes, 
and the recursively defined function maps a code to the type it denotes. 

The theorem prover most similar to Agda is Coq (Bertot and Casteran 
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[2010]). The language of Coq is an an extension of the Calculus of Construc¬ 
tions (Coquand and Huet [1988]). Coq allows to define directly inductive 
data types but no inductive-recursive types. 

Both Coq and Agda are proof assistance with dependent types. Logical 
propositions are identified with certain types using the “propositions as types” 
principle, based on the Curry-Howard isomorphism (Bertot and Casteran 
[2010]). To prove a proposition, means to write a program which is an element 
of the corresponding type. 

Most definitions in Agda use pattern matching. Pattern matching is an 
easy to use syntax to make a case distinction on the constructors of an 
inductive data type. In Agda we can for instance define an inductive family 

Vec : N —> Set 

where Vec n is the set of n-tuples or vectors of length n. 

Then we can define a function 

f : (n : N)(T : Vec n)— >B(n, v ) 

which can be defined by making case distinctions on n and v. Coq has a 
similar mechanism using the “match ... with ...” construct. 

Coq distinguishes between the types Prop and Set. Prop allows impred- 
icative quantification. The sort of logical propositions is defined as Prop, 
whereas data types are elements of Set. This kind of distinction, apart from 
adding an enormous proof theoretic strength, is useful in order to extract 
OCaml and Haskell programs from proofs in Coq. The reason is that it 
allows to separate proofs, which are elements of types in Prop from pro¬ 
grams, which are elements of types in Set. Agda does not have this kind of 
distinction, except for some experimental variant of it (where Prop is still 
predicative). 

Coq is fixed by theoretical work on the calculus of inductive constructions, 
whereas Agda is more flexible and has over time diverged quite far from its 
basis in Martin-Lof Type Theory. This allows to add new ideas more easily 
to Agda. 

Coq has the concept of tactics, which allow to automatically generate 
elements of types. In contrast, in Agda, at the time of writing this thesis, 
automated generation of elements of types is quite restricted. There are 
attempts to improve this, but they are still in an experimental stage. Coq 
allows as well setoicl rewrite, which makes writing elements of quotient types, 
which are represented as setoids, more easily. Both Coq and Agda support 
type classes and an infinite hierarchy of type universes. 
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However, the challenge to write proofs by hand in Agda has given rise to 
new definitions of data types and programs, which can be programmed more 
easily. This is in particular useful for writing dependently typed programs, 
where automatically generated code easily becomes inefficient. 

In this chapter we will introduce the basic features of Agda and show 
how they are used in the construction of dependently typed programs. We 
will introduce as well the syntax of Agda through the use of examples. More 
information about theorem prover Agda can be found in the Agda Wiki 
(Agda Community [2017a], Agda Community [2017b]), in Ulf Norell’s PhD 
thesis (Norell |2007]), and in the book Stump [2016]. 

3.1 Totality of Agda 

Agda is a total language, which means that every program in it must ter¬ 
minate: all computations must terminate and return a value without any 
run-time error. Without this feature, the logic behind this language becomes 
inconsistent: For instance, without termination checking, we can define for 
any type A an element of it by defining it as 

a : A 
a = a 

and therefore prove all theorems. 

This requires certain checks to be performed, in order to obtain total 
computations in Agda language: apart from type checking, one needs 

• coverage checking, which checks that pattern matching covers all cases 

• termination checking, which guarantees that functions are defined by 
an extension of primitive (co)recursion, 

• strict positivity of constructors checking, which makes sure that the 
(co)data types are strictly positive (otherwise it doesn’t make sense to 
talk about primitive (co)recursion 

Primitive (co)recursion is now based on the copattern matching, which cor¬ 
responds to the principle of guarded recursion. 

More information about totality can be found in Turner [2004], 

3.1.1 Type checking 

The procedure that decides if the program conforms to a given set of typing 
rules is called the type checker. This checker checks that terms are formed 
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from functions and other operations which are applied in a type correct way. 
Agda allows to define code having undefined code, called a goal. For a goal it 
shows the type of the goal, its environment, allows to compute normal forms 
and types of terms relative to this context. More detailed information bout 
the type checker of Agda can be found in Chapman’s PhD thesis Chapman 
[2009] and in Norell’s PhD thesis Norell [2007]. 

3.1.2 Coverage checking 

Because of the use of inductive families and induction recursion, and nested 
pattern and copattern matching, it can be quite difficult to determine whether 
a given (co)pattern covers all cases. This check for coverage is performed in 
Agda by the coverage checker Bove et al. [2009]. A very simple example uses 
the set of colours defined as follows: 

data color : Set where 
Red : color 
Green : color 
Blue : color 

Consider the function swapColour which swaps colours Green and Red: 
flips it to another one as follows: 

swapColor : color —> color 
swapColor Red = Green 
swapColor Green = Red 

This definition has no pattern for Blue and if we therefore applied swap¬ 
Colour to this value we would obtain a runtime error. It doesn’t pass the 
coverage checker and is rejected by Agda. We note that the coverage check¬ 
ing is not trivial in the presence of inductive families of types. An example 
is the definition of even numbers and proof that the sum of even numbers is 
even: 

data IsEven : N —*■ Set where 
evenO : IsEven 0 

evenSuc : {n : N} —> IsEven n —>■ IsEven (succ (succ n)) 


even-E : (n m : N) —>• IsEven n —>• IsEven m —> IsEven (n + m) 
even+ .0 m evenO pm = pm 
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even+ .(succ (succ n)) m (evenSuc {n} pn ) pm = evenSuc (even+ n m pn pm) 

Pattern matching on the proof of IsEven n and matching it with evenO 
forces the argument n to become 0, where the dot indicates that this is forced. 
Similar in the second line the first natural number is forced to be .(succ (succ 
n)). 

3.1.3 Termination checking 

As mentioned before, Agda is a total language, meaning that each program 
must terminate, since Agda without termination checker makes the logic be¬ 
hind this language inconsistent. In most functional programming languages 
recursion can be used freely; for instance, the partial function div can be 
defined in Haskell as follows: 

div 7Ti n = if (m < n) then 0 else 1 + div (m — n ) n 

When we use this definition in Agda, it is rejected, and must be rejected, 
since this function is partial: if n is 0 it will not terminate. Since the ter¬ 
mination problem is undecidable, the termination checker of Agda cannot 
accept exactly all terminating programs, but only a subset of them. It does 
so by accepting structurally recursive programs, which is an extended form of 
primitive recursion. So even after fixing the above definition of div it would 
in this form still be rejected by Agda, since it is not an instance of structural 
recursion. 

Primitive recursion 

In order to make sure that all functions terminate, one solution is to force 
all recursions to be instances of extended primitive recursion. This approach 
was taken in Martin-Lof type theory (Martin-L5f [1984]) where all recursions 
need to be an instance of extended primitive recursion. Primitive recursion is 
a special case of structural recursion on a well-founded data type. The main 
principle of primitive recursion is that recursive calls are made on structurally 
smaller arguments, which guarantees termination. 

For instance, consider the type of natural numbers: 

data N : Set where 
zero : N 
succ : N —> N 
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This means that we have a new type N : Set with operations zero : N 
and succ : N — >■ N. Furthermore, the elements of N are those constructed 
from applying these operations. Therefore functions can be defined by case 
distinction of these operators using pattern matching, for example: 

double : N —» N 

double zero = zero 

double (succ n) = succ (double n) 


Nested patterns and mutual definitions are allowed, for example: 


mutual 
f : N ->■ N 

f zero = 1 

f (succ zero) = 2 

f (succ (succ x)) = g x 

g : N ->■ N 

g zero = 3 
g (succ n) = n 


The coverage checker checks completeness, whereas the termination checker 
ensures that the recursive calls follow a schema of extended primitive recur¬ 
sion. 

We can define addition of a natural number as follows: 

_+_ : N ->• N ->• N 

zero + m = m 

succ n + m = succ (n + m) 


Here termination checking will succeed, since in the second line, the first 
argument becomes smaller in recursive call (n is structurally smaller than 
succ n; in fact, since we are using natural numbers it is actually a smaller 
number). Working with this kind of recursion is often inconvenient in practice 
since we deal with only one argument at a time. More details can be found 
in the article Martin-L5f [1984] and in the article Dybjer [1994] on inductive 
families. 
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Structural recursion 

In some programming language, primitive recursion is the only recursion al¬ 
lowed, as for instance, in Coq. This is not a problem since Coq can define 
more complex functions using its tactics. Agda allows more general forms 
structural recursion in which recursively calls on subexpression of the argu¬ 
ment are allowed. For instance, the Fibonacci number can be defined as 
follows by using nested pattern matching: 

fib : N ->■ N 

fib zero = zero 

fib (succ zero) = succ zero 

fib (succ (succ n )) = ^ n + fib (succ n) 


3.1.4 Equality 

Agda has three kind of equalities equalities. One is definitional equality, 
which is a decidable equality used during type checking. It is essentially 
based on that two terms are equal if they have up to a- and 77 -equality have 
the same normal form. The second one is propositional equality, which is 
a user defined equality. An example in this thesis will be the definition of 
bisimilarity on processes which is defined as a binary predicate on processes. 
Another example would be to define equality on the function type 4-^5 
extensionality by defining that two functions are equal if for equal elements 
of A they return equal elements in B. This allows to define undecidable 
equalities on types, which can be used for formal specifications. The third 
equality is the intensional equality type. It is the least proposition closed 
under reflexivity. Since for type checking purposes dehnitionally equal terms 
are identified, it contains definitional equality. Intensional equality is rela¬ 
tively weak and often needs to be replaced by a propositional equality, in 
order to prove theorems. We will introduce intensional equality below in 
Subsect. 3.2.12. 


3.2 Types and Expressions In Agda 

Agda has an infinite sequence of type levels. The lowest type level is for 
historic reasons called Set. Types in Agda are given as inductive types, 
coinductive types, dependent function types, Size type, record types, and a 
generalisation of inductive-recursive definitions and inductive-inductive def¬ 
initions. 
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3.2.1 Inductive Data Types 

Mathematical induction is the backbone of programming and program ver¬ 
ification (Leino and Moskal [2014]). Many data structures can be defined 
as inductive data types, also called algebraic data types (Bird and Wadler 
[1988]). Inductive data type allow to introduce elements of them by using 
constructors, and using them by recursion (Beckert et ah [2007]), and proving 
properties by induction (Sheeran et ah [2000]). The elements of an inductive 
data type in theorem proving are well-founded, which means the element can 
be considered as a tree with no infinite branches. If there is finite branching, 
the objects are by Konig’s Lemma finite. Inductive data types in Agda are 
dependent versions of algebraic data types as they occur in functional pro¬ 
gramming. There are several levels of types, the lowest (for historic reasons) 
being called Set. The inductive data type is given as a set A with construc¬ 
tors which are strictly positive in A 1 . As an example are the set of natural 
numbers, which we for convenience repeat here: 

data N : Set where 
zero : N 
succ : N — » N 

Another example of an inductive data type is the definition of Maybe, 
which adds to the elements of A, written as (just a) one extra element nothing. 
It is a degenerated inductive data type, because it is not a recursive definition: 

data Maybe (A : Set) : Set where 
nothing : Maybe A 
just : A —» Maybe A 

Agda allows as well simultaneous inductive definitions. We define her the 
collection of finite sets (Fin n) having n elements. For n > 1 we have that 
zero is an element of (Fin n), and if m is an element of (Fin n), then (sue m) is 
an element of (Fin (succ n)). One easily sees that with this definition (Fin n) 
has exactly n elements. The definition in Agda is as follows: 

data Fin : N —>■ Set where 
zero : {n : N} —* Fin (succ n) 
sue : {n : N} —» Fin n —¥ Fin (succ n) 


o- 


1 Which is explained in Sect. 3.2.2 
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3.2.2 General Form of Inductive Data Types 

The general form of inductive data types in Agda is as follows: 

data D : Set where 

Ci : A, 

C2 : A 2 


C n : A n 

Assume each A ; has the form 
(yi '■ Bi)—¥ . . . ( y n : B n )—t D 

where the argument type Eh is either non-inductive (and does not mention 
D at all) or inductive, in which case it has the form: 

(z\ : Ci)—^ • • • (^k ■ C*k)—> D 

where D must not occur in any Cj. 

For instance the following definition of Bad is not accepted by the posi¬ 
tivity checker of Agda: 

data Bad : Set where 
bad : ( Bad —>• Bad ) —> Bad 
12 3 

Bad is in position 1 in negative position; in position 2 and 3, it will be 
accepted. 

3.2.3 Dependent function type 

The dependent function type is like a simple function type but the result 
type depends on the value of the argument. As an example, we write in 
Agda (n : X) — v Y for the type of functions taking an argument n of type 
X and returning a result of type Y, where 11 may appear in Y. For example, 
in Agda we can define 

id 1 : (A : Set) —>■ A —> A 
id 1 A x = x 

The above is a dependent function taking a type argument A and an 
element of A and returns that element. 
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3.2.4 Guardedness checking in coinductive programs 

The design of programming languages using infinite coinductive types is chal¬ 
lenging, especially if termination needs to be guaranteed. 

In comparison, most programmers feel comfortable with inductive data 
types, whereas coinductive data type are considered to be more complex. 
Primitive corecursion or Guarded recursion is a principle for defining termi¬ 
nation checked programs. This principles is built into the languages Agda 
and Coq. 

When using coinductive types defined by their introduction rules, guarded 
corecursion is the principle of recursion which allows arbitrary recursive calls 
as long as they are guarded by a coinductive constructor. Productivity is 
ensured by guardedness. For more information about the coinduction ap¬ 
proach, see the articles by Danielsson and Altenkirch [2009], Altenkirch and 
Danielsson [2010] and Danielsson [2010]. In the newer approach in Agda 
coinductive types are defined by their elimination rules (Abel et al. [2013], 
Abel and Pientka [2013], Setzer et al. [2014]). Primitive corecursion is there 
defined differently. An element of a coinductive type can be defined by copat¬ 
tern matching on its eliminators (also called observations). This definition 
can make a corecursive call, provided no other function is applied to it. For 
more details see for instance Setzer [2016]. 

3.2.5 Coinductive Data Types 

There are two ways of defining in Agda coinductive types. The older one 
defines coinductive types by their introduction rules. One adds first the 
following special built-in functions (called “musical notation”) which have 
the following signatures: 

oo : V {A}.A —> Set 
: V {A}.A oo A 
b : V {A}.oo A —* A 

The idea is that coinductive arguments of a coinductively defined set A 
are denoted by oo A. The operations (delay) and b (force) are used to 
convert between A and oo A. The objects created by corecursion are defined 
using these functions, and destructed with coinduction. 

More generally mixed inductive-coinductive types can be defined, see for 
instance Danielsson and Altenkirch [2010]. In order to define a type A in the 
coinductive way we denote any inductive arguments by A and any coinductive 
arguments by oo A. oo A stands for the type of delay computation of A. For 
example, we can define stream as a coinductive type in Agda as follows: 
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data stream : Set where 

: FT — > oo stream — >■ stream 

Here the second argument of is oo stream and therefore a coinduc- 
tive argument. We can dehne elements of stream by using corecursion. An 
example of a infinite sequence of zeros as a stream is defined as follows: 

stream 0 : stream 

strearrio = zero :: (jj stream 0 ) 

The value which constructed by corecursion does not need to terminate 
but has to be productive. We don’t expand a corecursive definition infinitely, 
but only lazily as far as needed. Guardedness means that a recursive defini¬ 
tion is guarded by at least one constructor, and that no other operations are 
applied to a corecursive definition. 

For example the set of increasing streams stream starting with n is defined 
as follows: 

inc : N — > stream 

inc n = n :: (jj inc (succ n)) 

We can use case distinction in order to destruct a stream. For instance, in 
the following function, adds two streams together pointwise. The definition 
is by coinduction on the constructed stream: 

addStream : stream —s- stream —* stream 

addStream (x :: ay) (y :: y{) = (x + y) :: (jj addStream (b ay) (b yi)) 

The second approach to representing coalgebras in Agda, which we use 
in this thesis, is the approach of defining coinductive types in Agda by their 
elimination rules as introduced in Abel et al. [2013], Setzer et al. [2014]. The 
standard example is the set of streams: 

record Stream (* : Size) : Set where 
coinductive 
field 

head : N 

tail : {] : Size< Stream j 
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If we first ignore the arguments Size, Size< we see that the type Stream is 
given as a record type in Agda. It is dehned coinductively by its observations 

head, tail. 

Elements of Stream are dehned by copattern matching, i.e. by determining 
the result of applying head, tail to them. A simple (non-recursive) operation 
is the function cons for adding a new element in front of a stream: 

cons : V {z} —>■ N —>■ Stream i —>• Stream i) 

head (cons n s) = n 
tail (cons n s) = s 


Without sizes, in recursive definitions only recursive calls to the function 
being dehned are possible. Especially, no functions can be applied to the 
recursive calls. However, there are no restrictions on the arguments, the 
recursive function calls can be applied to. This restriction on the recursive 
definitions is called the principle of guarded recursion Coquand [1994] or 
primitive corecursion. As an example, we give the pointwise addition of two 
streams: 

_Ts_ : V {z} —>■ Stream i — > Stream i — > Stream z 
head ( s +s s’) = head s + head s’ 
tail ( s +s s’) = tail s +s tail s’ 

_Ts_ makes a recursive call to tail s +s tail s’. Note that s, s’ are 
arguments of _+s_, so we can apply tail to them freely. 

Without the restriction of guarded recursion, one could define non-productive 
definitions, e.g. dehne tail ( f x ) = tail (fx). However, the guardedness restric¬ 
tion makes it difficult to dehne streams in a modular way, since we cannot in 
a recursive call refer to other functions for forming streams at all, although 
many operations will not cause problems. Therefore Abel has introduced 
sized types Abel [2006, 2016] in the context of coinductive types, which al¬ 
lows to apply size preserving and size increasing functions to recursive calls. 

Sizes are essentially ordinals (without infinite branching one can think 
of them as natural numbers); however, there is an additional infinite size 
oo. We have as operations for forming sizes the infinite size oo, the successor 
operation on sizes 'f, and have the type of sizes less then z denoted by Size< z. 

For ordinal sizes i ^ oo, a stream s : Stream i allows up to z times of 
applications of tail. The true streams is the set Stream oo and s : Stream oo 
allows arbitrary many applications of tail. When defining an element / : 

(z : Size) — >• A i —> Stream i by corecursion, (tail (/* a) {]}) must be an 
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element of size > j which can refer to a recursive call (/ j a'), and we can 
apply functions to it as long as the resulting size is > j. Elimination on the 
recursive call is prevented since we don’t have access to any size < j. However, 
we can apply size preserving and size increasing functions to the recursive 
call. This guarantees that streams are productive. We have oo : Size< oo, so 
a recursive definition of elements of Stream oo can refer to itself. 

An example is the delay monad, which has been formulated by Abel and 
Chapman [2014]: 

mutual 

record ooDelay (i : Size) (A : Set) : Set where 
coinductive 
field 

force : {j : Size< i} — > Delay j A 

data Delay ( i : Size) ( A : Set) : Set where 
now : A —>■ Delay i A 
later : ooDelay i A —>• Delay i A 

The delay monad represents partial elements of a data type: they can 
be defined elements given by now a or they can be elements later a which 
are computed later. Infinite sequences of later are allowed, in which case an 
element is never defined, i.e. undefined. 

The Delay type is represented using the mutual definition of a coinductive 
record and an inductive data type. A single observation force is used in order 
to interact with the coalgebra ooDelay given as a record type. When forced, 
elements of Delay are obtained. We can make pattern matching on this time 
to see if the value available is now or later. If the value is available later then 
an element of ooDelay is obtained, and we can force it again. In the definition 
above, Size is considered as an index type for Delay and ooDelay, understood 
as observation depth. 

3.2.6 Induction-Recursion 

In intuitionistic type theory, inductive-recursion is considered to be powerful 
definition method. The origin of this idea appeared for the first time in 
Martin-Lof definition of universes a la Tarski Martin-Lof [1982, 1984], Later 
Peter Dybjer abstracted from these examples and introduced the concept of 
induction-recursion Dybjer [1991, 1992, 2000], Dybjer and Setzer [2003]. By 
a universe we mean a type the elements of which represent a type. In the 
a la Tarski version of universes the elements of the universe are codes and 
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there is a decoding function which maps the code to the type it denotes. 

The universe is defined inductively while the decoding function is defined 
simultaneously recursively. For instance we can define the type U and the 
function T simultaneously by induction-recursion: We give here the code 
expressing that U is closed under _L, T, Bool, and II. Closure under other 
sets needed can be easily added: 

mutual 

data U : Set where 
_L' : U 

T’ : U 

Bool’ : U 

IT : {a: U)(6 : T 0 a -» U) -> U 

To : U —y Set 

T 0 T = T 

T 0 T’ = T 

T 0 Bool’ = Bool 

T 0 (IT a b) = (x : T 0 a) -)• T 0 (6 s) 

The false proposition, _L, is defined as the empty data type having no 
constructors. It is the false formula, since it has no proof. The true proposi¬ 
tion, T, is dehned as a datatype with a single element, so it has exactly one 
proof. These propositions are define in Agda as follows: 

data _L : Set where 


data T : Set where 
triv : T 

These propositions can be used to translate Boolean values into proposi¬ 
tions: 

T : Bool — > Set 
T true = T 
T false = T 

T b is the proposition expressing that b equals true. The type of Booleans 
is defined in Agda as follow: 
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data Bool : Set where 
true : Bool 
false : Bool 

These definitions will be used in Chapter 5 in order to define the type of 
choicesets. 

The set Bool together with T is an example of a small universe. A universe 
consists of a set U of codes for the elements of the universe and a decoding 
function T : U —> Set, which maps each element U to the set it denotes. 
This is a way of defining a set of sets as a set. In this case the universe Bool 
has elements true denoting the true formula, which is therefore mapped by 
T to the true formula, and false denoting the false formula mapped by T to 
the false formula. Here, the set of codes and the decoding function can be 
defined separately, in most examples in dependent type theory, both need to 
be defined simultaneously by an inductive-recursive definition. In Chapter 5 
we will define universe consisting of Choice together with ChoiceSet, which 
will be defined inductive-recursively. 

3.2.7 Records 

Record types are used in order to describe the grouping of several types into 
one type. There are many different notations for records in programming 
languages. For instance, the record in C is denoted by the keyword struct 
and defined as follows: 

struct data 
{int year ; 

{int month ; 

{int day ; 

}; 

Record types are defined in Agda as indicated by the following example: 

record AB : Set where 
constructor pair 
field 
a : N 
b : Bool 

The above example defines a new record type AB with two fields. The first 
held is a, which has type N and the second held is b, with type Bool. In this 
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definition of AB the constructor is pair. In addition Agda allows dependent 
record type where the type of one field depends on other fields. 

Elements of a record type can be defined in three ways: By using a con¬ 
structor, by using the record syntax, or by defining them using elimination 
rules. 

In order to introduce an element of a record type by a constructor, one 
needs to add to the definition of the record type a constructor, using keyword 
constructor, as in the previous example. This part of the definition is optional. 
This allows to define elements of a record type in a more readable and clean 
way. For instance, the element of AB record can be defined, assuming x : N 
and y : Bool as follows: 

n = pair x y 

The Agda record definition of an element is always available. The element 
of AB above can be defined as follows: 

n = record {a = x ; b = y} 

The third way is by elimination rules 

a n = x 

bn = y 

An example of a record type is the E-type. If A : Set and B : A —y Set, 
then E A B is the set of pairs (a , b ) where a : A and b : B a. We introduce 
here a definition which is generic in the set levels: 

record E {a b } (A : Set a) (B : A —» Set b) : Set (a U b) where 
constructor 
field 

proji : A 
proj 2 : B proji 

We use as frequently the non-dependent product. Although it can be 
reduced to the E-type, it behaves often better because the types can be 
inferred for it, whereas because of the second argument of the E-type is a 
function type, it usually cannot be inferred: 

data _x_ (a b : Set) : Set where 

: fl-fli-fflX b 
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3.2.8 Mixfix Operators and Unicode 

Agda has a mechanism for defining infix and mix-fix operators, where the 
arguments of infix and mix-fix operator are denoted by the underscore (_). 
For example, disjunction which is infix on truth value can be defined as 
follows: 

_or_ : Bool —>• Bool —>• Bool 
false or m = m 
true or m = true 

In order to declare precedence for the operator, Agda has the reserved 
key words infixr, infixl and infix, for example: 

infixl 10 _or_ 
infixl 11 _and_ 
infixl 12 if_then_else_ 

The priority of the operator defined by the number near the reserved word, 
for instance, _and_ binds more than _or_ since the number associated with 
it is higher, infixl denotes lift associative operation; for example ( a or b or c) 
is parsed as (( a or 5) or c). If we had defined it as infixr it would be parsed 
as (a or (b or c)). With infix this definition would cause a parsing error, 
since it cannot be parsed in a unique way. For more details, see article 
Danielsson and Norell [2011]. Agda supports Unicode symbols by default 
whereas in Coq and Haskell they are only available as an extension. The 
use of Unicode feature allows to write more readable code, for instance we 
can use the symbols E , V and 3. Mixfix and Unicode feature allow to write 
in Agda code which looks very similar to what one would write down by 
hand. For example, the type of Booleans and the disjunction operation can 
be defined as follows: 

data B : Set where 
true : B 
false : B 


_V_ : B —» B —> B 

true V true = true 
true V false = true 
false V true = true 
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false V false = false 


3.2.9 Implicit Arguments 

Agda offers a mechanism to mark arguments as implicit. Implicit arguments 
can be omitted, in case the type checker can uniquely determine the omit¬ 
ted argument. This allows to hide unnecessary argument, and therefore to 
simplify code, make it more understandable and more readable. 

Implicit arguments are marked by curly brackets ({}). For instance, we 
can define: 

id : {A : Set} -> A — > A 
id x = x 

In the above function id, the argument A : Set is implicit. The next 
definition is the same as the following definition, where the argument A : Set 
is explicit: 

id! : ( A : Set) — * A —» A 
id i A x = x 

Using the first definition, we have to hide the argument, for instance: 

True : Bool 
True = id true 

Zero : N 
Zero = id zero 

With the second definition, we have to state the argument explicitly: 

Zero! : N 
Zeroi = id! N zero 

truei : Bool 

truei = id! Bool true 

In order to make the implicit argument explicit, curly brackets can be 
used, for instance: 
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id {N} zero : N 

id {_} zero : N . (*) 

In (*) the underscore (_) indicates that the type checker has to figure out 
what the type of argument should be. If the type checker fails to infer the 
value, then it will issue an error message. 

3.2.10 Module System 

The module system in Agda is considered as a mechanism that is intended 
to structure Agda code by separating it into different modules which might 
occur in different files. This feature allows separate compilation and allows 
as well the use of parametrised modules. It is also useful for structuring 
larger developments. Modules are introduced in Agda using the keyword 
module. A module from a different file is imported into the current file using 
the keyword import, e.g. import maybe. After import Nat, names from the 
module Nat can be used using a qualified name, for instance: 

import maybe 

fMaybe : {A B : Set} — > (A —» B) — > maybe.Maybe A —* maybe.Maybe B 
fMaybe / maybe.nothing = maybe.nothing 
fMaybe / (maybe.just x) = maybe.just (/ x) 

The second reserved word is open Module, which brings everything from 
the module into scope, i.e. no qualified name is needed anymore. An example 

is 

import Nat 
open Nat 

Z : N 
Z = zero 

We can combine open and import into one step by using 
open import, for instance: 

open import maybe 

fMaybe : {A B : Set} —» (A —> B) —y Maybe A —y Maybe B 
fMaybe / nothing = nothing 
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fMaybe / (just x ) = just (/ x ) 

Agda allows as well to control the names brought into scope by deciding 
explicitly which names to open (keyword using), or by hiding names (keyword 
hiding) and by renaming names (keyword renaming). 

3.2.11 Postulated Types 

Agda allows, using the keyword postulate, to postulate a type or function, 
where the constant of this type is introduced without any reduction rule. For 
instance, we can postulate a type and function as follows: 

postulate A : Set 
postulate a’ : A 

postulate _==_ : A — > A —>■ Set 
postulate : A —> A —> Set 

This mechanism assumes that certain constructions exist, without defin¬ 
ing them. It even allows to define an element in the empty set. Therefore a 
proof is only correct, if no postulates occur. In the above example we intro¬ 
duce a set A and introduce an element a’ of this set; we know nothing else 
about A and the binary relation _==_. 

3.2.12 Let, Where, With-expressions, Mutual Defini¬ 
tions, Intensional Equality, and Rewrite 

Agda offers let and where— expressions in order to declare local dehnitions. In 
comparison, where— expressions allow a pattern matching or recursive func¬ 
tion, whereas pattern matching and recursive functions are not allowed in 
let— expressions. In Agda let— expressions are represented as follows: 

let 

a\ : Ai 
Ol = Si 
02 : Ao 
02 = S2 

(2n 
(2n 

in t 
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In the above definition, the let-expressions introduce the following new 
local constants: 


d\ : /\\ s.t. d\ — Si, 

a 2 '■ A 2 S.t. 02 — S 21 

o n : A n s.t. o n — s n 

On the other hand, where— expressions allows pattern matching recur¬ 

sive definitions. An example of the use of primitive recursion and pattern 
matching in where— expressions is as follows: 

revList : (A : Set) — List A —> List A 
revList A list = refAux list [] 
where 

refAux : List A —> List A — > List A 

refAux [] xy = xy 

refAux (x :: xs) xy = refAux xs (x :: xy) 

The reserved word mutual is used in Agda in order to simultaneously 
define two or more functions or data types that depend on each other, for 
instance: 


mutual 

data Even : Set where 
zero : Even 
sue : Odd — > Even 

data Odd : Set where 
sue : Even —> Odd 

Alternatively, one can omit mutual by first defining the signatures of the 
types used and then giving their definitions. The example above can be 
rewritten as follows: 

data Even : Set 
data Odd : Set 


data Even where 
zero : Even 
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sue : Odd — >■ Even 

data Odd where 
sue : Even — > Odd 

In this example the signature of Odd is 
data Odd : Set 

(without keyword where) and : Set is omitted in the definition. 

In Agda we use the construct with in order to abstract function / over the 
value of an auxiliary expression e. This adds another argument to /, over 
which we can then pattern match. An example is as follows: instance: 

MinN : N ->■ N ->■ N 

MinN x y with (x < y) 

MinN x y | true = x 
MinN x y | false = y 


Here, the equations of MinN have an extra argument, separated from the 
original one by a vertical bar. In this example, we did not carry out any 
further pattern matching on x and y, the only case distinction we did was 
on (a; < y). Repeating the left-hand side is tedious so that we can replace it 
with ...|. So we can define MinN as well as follows: 

MinN : N ->• N ->• N 

MinN x y with (x < y) 

...| true = x 
...| false = y 

Intensional equality on a set A, which was mentioned in Subsect. 3.1.4, 
is defined as an indexed inductive definition, which has a proof refl of type 
x = x: 

data _=_ {a} {A : Set a} {x \ A) : A —> Set a where 
instance refl : x = x 

The rewrite construct takes as argument a proof of a propositional equal¬ 
ity, and rewrites the goal and the context of the given equation by using this 
equation. An example is as follows: 
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+0 : V n — )■ n + zero = n 
+0 zero = refl 

+0 (succ n) rewrite +0 n = refl 

In this example, in the (succ n) case, by using the equation (+0 n) from 
the induction hypothesis, we have the additional rewrite rule that (n + zero) 
rewrites to n. Therefore the goal sue n + zero = n, which by normal rewrite 
rules rewrites to succ n + zero = succ n, is rewritten to succ n = succ n, and 
we can use refl to prove this goal. 

The rewrite construct can be reduced to the with construct. Our example 
can be reduced to the following code: 

+0' : V n — v n + zero = n 
+0’ zero = refl 

+0' (succ n ) with n + zero | +0' n 
+0’ (succ n) | .n | refl = refl 


3.2.13 BUILTIN and Primitive 

Agda uses keywords BUILTIN and primitive in order to use efficient native 
implementations of specific inductive types, The most common example in 
Agda is the natural number data type. In the following example we illustrate 
the idea of this mechanism: 

data N : Set where 
zero : N 
succ : N — >■ N 

{-# BUILTIN NATURAL N #-} 

This means that the BUILTIN “NATURAL” is used for N. Agda will 
instead of dealing with natural numbers as constructed by the constructors 
succ and zerouse internally use Haskell’s native natural numbers. It allows 
to write as well decimal numbers as elements of N. 

Agda will check that N is an inductive construction with type Set, which 
has two constructors, which have the type of zero and succ above. 

Using these declarations we can write 24 : N instead of 
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succ (succ (succ (succ ( ... (succ zero))))) 

'-v-' 

24 

It allows as well in patterns to write 0 for the constructor zero : N. 

The second main example of BUILTIN is List. It is used in Agda as follows: 

data List (A : Set) : Set where 
[] : List A 

: A —> List A —» List A 

The Agda construct primitive is similar to BUILTIN, but for types which 
are represented in native Agda as postulate, i.e. they do not /3-reduce for 
open terms and are not implemented in Agda. This means, they behaves as 
a black box which is not checked. 


3.3 Setup of Agda 

Agda offers an interactive interface, in order to facilitate writing of code. It 
allows as well to write compiled code. 

3.3.1 Interactive Interface 

The interactive interface of Agda is based on Emacs. Without this interface 
writing code with dependent types would be complex. The interface allows 
to interactively refine code. When code is loaded (i.e. type checked), the 
code will be partly highlighted either in green, red, and in yellow. A code 
highlighted in red means non-termination; code highlighted in yellow means 
that implicit arguments are not inferable. Goals are parts of the code which 
have not been written yet, and are highlighted in green. Agda has a special 
goal menu, which allows for goals to determine the type needed, the context, 
to evaluate in its context terms to normal features, to solve it automatically, 
to refine the goal, and many more features. 

The Agda mode of Emacs offers many short-cut keys: for instance, for 
loading a hie, compiling a hie, killing and restarting Agda, showing goals, 
moving to the next and previous goal, and as well short cuts for the goal 
menus. 

3.3.2 Compiled Version of Agda 

The mechanism used in order to create executable code of Agda is by com¬ 
piling it into Haskell. Different compilers can be used, the main one being 
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the Glasgow Haskell compiler GHC (Peyton Jones et al. [1993]). Agda uses 
the key word COMPILE in order to replace Agda definitions by corresponding 
Haskell definitions, followed by the compiler (e.g. GHC) and the definition. 
It has as well a key word FOREIGN to carry out definitions needed for COM¬ 
PILE directive. Consider for instance the definition of List: 

data List (A : Set) : Set where 
[] : List A 

: A —> List A —> List A 

In order to bind the List data type in Agda to the List data type in Haskell, 
we first define the type of Agda Lists and then define the List using this type: 

{-# FOREIGN GHC type AgdaList a = [a] #-} 

{-# COMPILE GHC List = data AgdaList ([] | (:)) #-} 

Another example is the 10 monad. It is a postulated type in Agda, which 
is compiled as the Haskell 10 monad: 

postulate 10 : Set —>• Set 

{-# COMPILE GHC 10 = type 10 #-} 

In case of String we can use the built-in type of strings, but translate 
string commands using it into corresponding interactive programs of Haskell: 

postulate String : Set 

{-# BUILTIN STRING String #-} 

postulate putStrLn : String — 10 Unit 

COMPILE GHC putStrLn = (\ s -> putStrLn (Data.Text.unpack s)) #-} 

More information about compiler mechanisms in Agda can be found in 
the MAlonzo article Benke [2007]) and in Hausmann et al. [2015]. 

3.3.3 Interactive Programs in Agda 

Interactive programs can be written in Agda using the HS-monad, which 
is a dependently typed version of the 10 monad, and which was developed 
in Hancock and Setzer [2000a,b, 2005], Setzer and Hancock [2004], The 
theoretical basis for the IO monad was developed by Moggi Moggi [1991]. It 
was pioneered by Peyton-Jones and Wadler Wadler [1990, 1995, 1997, 1998], 
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Peyton Jones and Wadler [1993] in order to represent interactive programs 
in functional programming, especially in Haskell. 

The main idea of the 10 monad is that that an interactive program is 
based on an 10 interface, which introduces a set of commands which can be 
executed in the real world, together with a set of responses the real world 
can return in response to such a command. An 10 program iteratively issues 
commands from his interface and continues depending on the response from 
the real world. The 10 data type is a coinductive form of a Peterson-Synek 
tree Petersson and Synek [1989], except that they also have the option to 
terminate and return a value. This allows for monadic composition of pro¬ 
grams, that is, sequencing one program with another program, where the 
second program depends on the return value of the first program. It is coin¬ 
ductive, since interactive programs can potentially run for ever. 

The interface of an 10 program is given by a set of real world commands 
Command and a set of responses the real world can return in response to a 
command executed: 

record lOInterface : Set! where 
field 

Command : Set 

Response : Command — >• Set 

The set of interactive programs coinductively as a set 10, which by using 
eliminator force eliminates into the set 10' of 10 shapes. The shapes of 10' are 
(return' a) for a program which terminates returning value a, and (do’ c /) 
for a program which executes in the real world command c, and depending 
on the response r : /.Responsec the world returns continues as an interactive 
program. 

Monadic composition (»=') of programs allows to combine an 10 Pro¬ 
gram with another program which depends on the result of the first one. It 
is defined as follows (depending on an interface /; we define as well a version 
», in which the second program does not depend on the first one): 

: V{z}{A B : Set}(m : 10' i I A) (k \ A -> 10 (} z) / 5) -HO’ z / 5 
do’ c f »=’ k = do' c \ x —)■ f x »= k 
return’ a »=’ k = [k a) .force 

»= : V{z}{A B : Set}(m : 10 i I A) (k : A -> 10 * I B) 10 i I B 
(m »= k ) .force = m .force »=’ k 

_»_ : V{z}{5 : Set} (m : 10 % I T) (k : 10 i I B) -> 10 % I B 
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m » k = m »= X _ —> k 

In this thesis the only 10 interface we use is a console interface consolel. 
It has two commands. The first command (putStrLn sir) prints a string sir 
on the console. The world only returns that it has performed it, so its an 
element of the one element set T. The second command getLine asks for a 
string entered by the user. The world response with the String which was 
input by the user, and depending on it the program continues. The complete 
definition of IOconsole is as follows: 

data ConsoleCommand : Set where 
putStrLn : String — >■ ConsoleCommand 
getLine : ConsoleCommand 

ConsoleResponse : ConsoleCommand — Set 
ConsoleResponse (putStrLn *) = T 
ConsoleResponse getLine = String 

consolel : lOInterface 

consolel .Command = ConsoleCommand 

consolel .Response = ConsoleResponse 

lOConsole : Size — > Set — >■ Set 
lOConsole i = 10 i consolel 

There exist a library (Abel et al. [2016]) which supports the writing of 
interactive programs and of object based programs in Agda. See as well the 
article Abel et al. [2017], which describes this library in great detail. 

Elements of 10 are compiled via the COMPILE directive into native 10 
programs of Haskell which are than compiled into native code and executed. 

Just before submitting the final version of this thesis, Haskell’s do nota¬ 
tion has been ported to Agda, and the keyword do can no longer be used 
as a constructor. It would be possible to use do’, but we use as well do for 
defining elements of 10 directly. Therefore, this constructor will be replaced 
by exec in future instance of CSP-Agda. 
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Chapter 4 


6 

°Review of Literature 


In this chapter, an overview of related work presented in seven parts. First, 
in Sect. 4.1 we provide an overview of using formal methods in an indus¬ 
trial environment. Then, in Sect. 4.1 we present related work regarding us¬ 
ing process algebra modelling and verification of industrial-strength systems. 
In Subsect. 4.2.1 we present related work on verifying software in CSP. In 
Sect. 4.3 we give an overview of theorem provers. In the next section 4.4, we 
start to investigate work on using functional programming to define processes 
algebras. In the next section 4.5 we present work on defining process algebras 
in dependent type theory. Then (Sect. 4.6) work on defining process algebras 
in a coalgebraic manner is presented. In the last section 4.7, we investigate 
the work on using the theorem prover Agda as a platform for modelling and 
verifying systems. 

4.1 Formal methods 

Failure in discovering an error in a critical safety system can lead to a catas¬ 
trophic situation. Therefore, in the field of industrial safety critical systems, 
the verification step is considered as crucial. Formal verification and valida¬ 
tion is a vital step for the certification of many critical systems, e.g. railway 
systems, see Cimatti et al. [2012], 

Formal methods are mathematical techniques for developing and verify¬ 
ing software and hardware systems, usually assisted by tools. The use of 
mathematically rigorous techniques allows users to analyse and verify sys¬ 
tems at any stage of the program life cycle: requirements, specification, 
architecture, design, implementation, testing, maintenance, and evolution 
(Woodcock et al. [2009]). 

The requirements stage is considered as an essential step in a high-quality 
software development process. Easterbrook et al. [1998] successfully present 
three case studies of using formal methods in requirements modelling. 
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In the specification level, this approach plays a dominant role in specifying 
software. Here, the behaviour of sequential systems can be described using 
certain formal methods, for instance, Z (Spivey [1988]), VDM (Jones [1990]), 
and Larch (Garland et al. [1993]). 

In order to specify systems in a concurrent manner, other methods such 
as CSP (Hoare [1978]), CCS (Milner [1982]), state charts (Harel [1987]), 
temporal logic (Pnueli [1977], Manna and Pnueli [2012], Lamport [1994]), 
and I/O automata (Lynch and Tuttle [1987]) are used. 

Complex software systems need a rigorous organisation of the architec¬ 
tural structure of their segments: a model of the system that suppresses the 
implementation specification is needed, in order to enable the designer to fo¬ 
cus on the analyses and decisions that are essential to structuring the system 
in order to meet its requirements (Allen [1997], Lamsweerde [2003]). 

The formal architectural description language WRIGHT provides a prac¬ 
tical basis for a formalisation of the abstract behaviour of architectural com¬ 
ponents and connectors (Allen [1997]). 

Formal methods are used in software design. Refinement is considered 
as a general approach for adding details to a software design in incremental 
steps (Mo [2005]). Data refinement plays a central role in methods such 
as VDM (Jones [1990]) and in program refinement calculi (Dijkstra [1975], 
Morris [1987], Morgan [1988], Back and von Wright [1990]). 

Formal methods are used for code verification at the implementation level. 
Program verification was first developed by Floyd and Hoare (Floyd [1993], 
Hoare [1969]). Gaudel [1995] presents a theory of program testing based on 
formal specifications, which was developed into an important research topic. 
Hoare reports the use of formal assertions used at Microsoft for program 
testing rather than proving the correctness of programs (Hoare [2002]). 

Formal methods are applied in software maintenance (Younger et al. 
[1996]) and software evolution (Ward and Bennett [1995]). The idea behind 
using formal methods during the design process is to improve the under¬ 
standing of the system requirements and design (Craigen et al. [1993]). This 
can be helpful by capture specification and design errors earlier in the design 
cycle. Early detection of errors leads to big time savings by reducing rework. 

More information regarding successful application of formal methods in 
industry can be found in Clarke and Wing [1996]. Winter [2002] provides 
a successful example of how formal methods can be employed to enhance 
the industrial development process. Many standards in the field of railways 
safety currently mandate the use of formal methods in the design in order 
to verify correctness (Cimatti et al. [2012]). A review of formal methods 
relating to industrial projects can be found in Woodcock et al. [2009]. 
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4.2 Process algebra 

The aim of software verification is to assure that programs meet all the ex¬ 
pected requirements. The way of providing a formal semantics of program¬ 
ming languages is a primary step toward program verification. In the last 
40 years, many researcher have carried out research regarding this. The ap¬ 
proach of process algebras provide a formal semantics for concurrent systems 
and allows to prove their properties (De Nicola [2014]). 

The term “process algebra” was initiated in 1982 by Bergstra and Klop 
[1984b], Process algebra is the way of using algebraic means to study dis¬ 
tributed or parallel systems. The word “Process” here is used to represent 
the behaviour of a system. The word “Algebra” means that the approach for 
dealing with a system is algebraic and axiomatic (Baeten et al. [2007]). The 
main process algebra approaches are the Calculus of Communicating Systems 
(CCS) (Milner et al. [1992]), Communicating Sequential Processes ( CSP ) 
(Hoare [1983]) and Algebra of Communicating Processes ( ACP) (Bergstra 
and Klop [1984a]). 

4.2.1 CSP 

The Process Algebra CSP (Abdallah [2005], Hoare [1983], Roscoe [1998], 
Ryan and Schneider [2001]) takes a prominent place among the formal method 
approaches, devoted to modelling, analysis and verification of concurrent sys¬ 
tems. CSP has extensively used for modelling, verifying and the analysis of 
systems in industry. 

Mclnnes [2007] developed a formal approach to engineering spacecraft 
behaviour, based on mathematical models using CSP. He successfully proves 
that process algebras can provide spacecraft designers with a mathematical 
approach for specifying and verifying system behaviour. 

Winter [2002] studies railway interlocking systems by modelling the sys¬ 
tems using CSP. The author uses the FDR2 checker to check the model 
against safety properties for example absence of derailment and collision. 
Winter successfully provides a case study of how the formal methods can 
support and develop the process in the industrial field. 

Faber and Meyer [2006] prove that CSP-OZ-DC is suited for modelling 
systems in the industrial field. They assume critical system behaviours are 
specified by at least three aspects, namely the control flow aspect, the data 
aspect, and the real time aspect. CSP-OZ-DC combines CSP, Object-Z (OZ) 
and Duration Calculus(DC), where the internal and external behaviour is 
described by using CSP, the data aspects are represented using Object-Z, 
and the real time aspects are specified using the Duration Calculus. The 
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authors use this approach to model the emergency messages for the Radio 
Block Centres (RBCs) in the European Train Control System ETCS. RBCs 
manage the traffic in their area by exchanging the messages between the 
RBC and the trains in order to guarantee the safety of the railways in the 
ETCS. The author focuses on the emergency messages to ensure that trains 
never collide. 


4.3 Theorem Provers 

Theorem proving tools can be classified into one of two categories: interactive 
theorem proving or automatic theorem proving. An excellent introduction 
to the various flavours of theorem proving can be found in Harrison [2008], 
and a more technical analysis can be found in Boutin [1997]. In this thesis, 
our aim is to represent the process algebra CSP in the theorem prover Agda, 
in this stage we try to answer the question, why we use Agda, and not other 
theorem provers. 

Software is becoming more important and popular in the modern com¬ 
munity. It is also becoming more complicated. In our life, using computer 
programmes and safety-critical devices appearing in more and more every 
day. In these systems, the price of failure is rising as well. To efficiently de¬ 
velop programs, and be sure that they are correct, we should make the type 
system more expressive. Martin-Lof Type Theory (Martin-Lof [1975, 1982, 
1984]) is a type theory which can be considered as a programming language 
equipped with an expressive type system. 

Agda (Agda Community [2017a], Bove et al. [2009], Agda Community 
[2017b]) is a theorem prover and dependently typed programming language, 
which extends intensional Martin-Lof type theory (Martin-Lof [1984]). It is 
closely related to the theorem prover Coq (Coq Community [2015], Paulin- 
Mohring [2012], Coq Development Team [2015], Dowek et al. [1991]). Pred¬ 
icates are given as types, the elements of which are proofs of that property. 
The language of Agda is a functional programming language with numer¬ 
ous features added. Agda supports pattern matching, termination checking, 
inductive data types with inductive-recursive types, and inductive families. 
Induction-recursion allows to define data types and recursively defined func¬ 
tions simultaneously. In contrast, Coq supports inductive data types but 
not yet inductive-recursive types, which we use extensively in CSP-Agda for 
defining the set of choice sets and return types. Agda defines coinductive 
types in two approaches, where the newer one, which we use extensively, is 
based on coalgebras as given by their elimination rules, and the older one is 
based on coalgebras as given by introduction rules. Coq defines coinductive 
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type only in the way corresponding to the older way, namely by their intro¬ 
duction rules. Since we use extensively the definition of coinductive types by 
their elimination rules, Agda was the right choice to take in this thesis. Agda 
has a powerful mechanism for definitions by pattern and copattern match¬ 
ing, which is much more intuitive than Coq’s approach. Especially, when 
working with coalgebras, which are used a lot in CSP-Agda, the approach of 
Agda is much more intuitive. See chapter 3 for more information about this 
distinction. 

Isabelle (Paulson [1994, 1988a]) is a generic proof assistant, originally 
developed at the University of Cambridge and the Technical University of 
Munich. This proof assistant allows mathematical formulas to be repre¬ 
sented in a formal language, which allows the use of external tools linked to 
Isabelle to prove those formulas. Isabelle integrates the powerful automated 
theorem prover Sledgehammer (Paulson and Blanchette [2010]). Equality on 
coalgebras is defined as bisimilarity, which together with automated theorem 
proving support makes proving properties about coalgebras easy. Having all 
this support, Isabelle lacks dependent types. Since our approach was based 
on dependent types, our choice is Agda. 

There are many functional languages supporting dependent types, for in¬ 
stance, McBride’s Epigram (McBride and McKinna [2004]), and Idris (Brady 
[2008, 2013, 2011]), developed by the group of Brady. Idris is primarily a 
programming language whereas we want to carry out proofs of properties 
of CSP-processes, therefore Idris is not suitable. Epigram is at the time of 
writing this thesis not as much supported as Agda, therefore our choice is 
Agda. 


4.4 Defining Process Algebras in Functional 
Programming 

There have been several successful approaches of combining functional pro¬ 
gramming with the the process algebra CSP. Brown [2008] introduced a 
library (Communicating Haskell Process library, CHP) in Haskell. Since 
Haskell lacks explicit support for concurrency, he used a Haskell monad to 
provide a way to explicitly specify and control sequence and effects. In CHP 
the authors introduce a type (CHP a) of monadic processes with return value 
of type a. They have a return statement similar to our terminate process. 
In that paper they add operators from CSP such as (external) choice, paral¬ 
lelism, exception, sequencing and iteration. The focus is mainly on writing 
programs using these operators, not on creating a proper semantics and prov¬ 
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ing properties about their processes. Such a semantics is important to make 
sure that especially the terminate process is dealt with correctly - in our 
setting this gave rise to lots of subtle issues. Their setting doesn’t seem to 
include the /-event, which plays an important role in CSP, and is quite dif¬ 
ficult to deal with in a monadic setting, since one needs to add return values 
to /-events. It seems that they replace / transitions by r-transitions to the 
terminated process. This doesn’t work in CSP, since for instance in case of 
interleaving, /-transitions are blocked until both sides of a the interleaving 
operator have a /-transition, whereas r-transitions can be followed by each 
process separately. We couldn’t detect an explicit treatment of r-transitions 
in their setting, although it is implicit in the internal choice operator. Brown 
[2009] present a new technique in order to generate CSP models of Haskell im¬ 
plementations using the CHP library. This approach is characterised by the 
need for a detailed semantics of the Haskell language. They use the FDR and 
ProB tools in order to check the model generated by this approach against 
deadlock, and as well to perform refinement checks. Lopez et al. [2002] gave 
further examples of combining functional programming with process algebras. 
They used the functional program Eden in order to translate VPSPA specifi¬ 
cation into Eden programs. Eden extends Haskell, and can be considered as a 
concurrent functional language. Similarly, Fontaine [2011] gave another suc¬ 
cessful attempt of implementing the operational semantics of CSP (Roscoe 
[1998]) using the functional programming language Haskell. He presented a 
new tool for animation and model checking for CSP. Fontaine used a monad 
in order to model Input/Output, partial functions, state, non-determinism, 
monadic parser and passing of an environment. Tej and Wolff [1997] im¬ 
plemented the failures-divergence model of CSP developed by Brookes and 
Roscoe [1984] in Isabellc/HOL (Paulson [1986, 1988b]). They discovered 
an error which they corrected. Kammiiller formalised CSP in Isabelle/HOL 
(Kammiiller [2007]). 


He used the features of the underlying higher order logic of Isabelle, for 
instance, the formalisation of fixed points due to Tarski and of data types. 
Kammiiller used the predefined theory of the fixed point of Isabelle/HOL in 
order to define the semantics of recursive processes. In our approach, the 
predefined theory of coalgebras is used to define processes directly corecur- 
sively without having to use the recursion combinator. In contrast, Tej and 
Wolff [1997] recreated instead the entire Tarski fixed point theory. 
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4.5 Defining Process Algebras in Dependent 
Type Theory 

Sellink [1994] gave a successful attempt to represent process algebras in type 
theory. Sellink used /iCRL (Groote and Ponse [1995]), a language for reason¬ 
ing about the Algebra of Communicating Processes, in order to implement 
it in the type theoretic proof assistant Coq (Paulin-Mohring [2012], Coq De¬ 
velopment Team [2015]). 

Sellink follows an algebraic approach towards proving laws about the pro¬ 
cess algebra AGP in Coq. Processes are defined from high level operators 
of AGP (which would correspond in CSP to forming processes from atomic 
ones using operations such as prefix, external choice, internal choice, inter¬ 
leaving etc). Then algebraic laws for these processes are axiomatised, from 
which one can derive new equalities. Translated into CSP it would mean 
to have laws regarding equalities and refinements of processes formed from 
these operations. Then one can show properties between processes formed 
using those operations. In this algebraic approach the processes are not di¬ 
rectly implemented as something which could be executed, but kept abstract. 
In CSP-Agda we obtain processes one could program with, whereas in the 
approach by Sellink all we can do is prove properties about them. In our ap¬ 
proach we can prove the algebraic laws, whereas in the approach by Sellink 
this cannot be done since these laws are the axioms of their approach. 

Bezem et al. [1997] take the first step towards the formal verification 
of correctness proofs of real-life protocols in process algebras. The authors 
translated the proof theory of /xCRL, which is based on the Algebra of Com¬ 
municating Processes (AGP) of Bergstra and Klop, into Coq. As a case 
study, Bezem et al. verified the alternating bit protocol. Similarly, in Groote 
and van de Pol [1996], the process algebra /iCRL is used to specify a pro¬ 
tocol which describes the transmission of large data packets over channels. 
/iCRL is a formal framework, which combines a process algebra and abstract 
data types. It was devised in 1990 to model and study the system. The 
correctness proof has been carried out in Coq. Cleaveland and Panangaden 
[1988] gave an earlier attempt to implement process algebras in type the¬ 
ory. They implemented the Calculus for Communicating Systems (Milner 
[1982]) in the proof assistant Nuprl (Aaron [2001]), which is similar to Agda, 
but is based on extensional Martin-Lof type theory. Elliott [2015] proposed 
an approach of representing concurrent programs in the dependently typed 
programming language Idris, and compiling them into the functional pro¬ 
gramming language Erlang using the Actor Model of Erlang. This allows to 
produce verified concurrent programs. Conceptually Erlang is similar to the 
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Occam programming language. CSP was highly influential in the design of 
Occam. 

Close to our work, in the context of defining structures coinductively in 
dependent type theory, Spadotti [2015] described the implementation of a 
mechanised theory of regular trees coinductively in dependent type theory 
and implemented it in theorem prover Coq. 


4.6 Defining Process Algebras using Coalge¬ 
bras 

Mathematical induction is a backbone of programming and program verifica¬ 
tion (Lcino and Moskal [2014]). Briefly, induction is used to define algebraic 
data structures (Bird and Wadler [1988]), it arises behind program semantics, 
it is defined to obtain finite iteration and recursion (Beckert et al. [2007]), 
and used in order to carry out proofs (Sheeran et al. [2000]). Induction deals 
with finite, or more generally well-founded behaviour, whereas, in contrast, 
coinduction deals with an infinite objects (infinite data, infinite behaviour, 
etc.). Coinduction is the dual of induction. Coinduction is essential in order 
to verify and program infinite programs, which might go on forever. For in¬ 
stance, coinduction can be used to construct data types (Jones [2003]), define 
semantics (Park [1981]) and to carry out proofs (Leroy [2009]). Indubitably, 
both induction and coinduction are desirable to developing programs and 
verifying them. 

Coalgebras have become one of the main methods for specifying the re¬ 
active behaviour of a system. A good overview on coalgebras can be found 
in Rutten [2000]. Goncharov and Schroder [2013] defined a framework for 
concurrent processes, where atomic steps have side effects. Goncharov et 
al. used the monadic principle in order to encapsulate effects. Processes in 
that approach are modelled as infinite resumptions using a final coalgebra. 
The main result of this paper is a corecursion scheme over the base language 
and a new semantics for operators on processes such as parallel composition. 
They extended the framework to cover safety properties. 

Mossakowski et al. [2006] gave a good example of using coalgebras in 
order to extend the specification language CASL. Goncharov et al. [2014] 
also developed a semantic framework that combines monads, operations and 
recursive definitions. Their metalanguage for effectful recursion definitions 
was inspired by Moggi’s computational metalanguage. They integrated the 
coalgebraic and monad aspects of the computations into a single framework. 
Using the notion of a complete Elgot monad, the authors developed a met- 
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alanguage. The work closest to our research is Goncharov et al. [2014], who 
have also formalised corecursive definitions of process algebraic operations 
on processes with side effects using a new metalanguage. 

Gimenez [1995] represent a calculus for describing broadcasting systems 
(Prasad [1995]) in the theorem prover Coq, such that the behaviour of pro¬ 
cesses is modelled as coinductive types. 

Isobe and Roggenbach [2005] have developed a tool called CSP-Prover, 
which allows to carry out refinement proofs in CSP, specifically proofs for 
infinite state systems. CSP-prover is an interactive theorem prover, which 
is built upon the theorem prover Isabelle/HOL. They implemented the the¬ 
ories of complete metric spaces (cms) and complete partial orders (cpo) in 
Isabelle/HOL in order to model infinite state systems in CSP-prover. In 
CSP-Agda, in contrast, the semantics of processes is defined as a coinduc¬ 
tive ly defined predicate rather than a set, which allows to reason directly 
using the definition of those predicates. 

4.7 Agda as Platform for Modelling Programs 

Kanso in his PhD thesis Kanso [2012] developed a framework for the de¬ 
velopment of verified railway interlocking in the theorem prover Agda. In 
this thesis, Kanso’s integrated automated theorem proving (SAT solving and 
CTL model-checking) into type theory. He addressed verification in the rail¬ 
way domain and was applying it to both modern electronic interlockings and 
traditional mechanical interlockings. Kanso formalises railway interlocking 
systems in ladder logic, namely as a large set of Boolean variables together 
with a next step operation, which defines the state of the Boolean variables 
in the next step. For instance we could have a variable corresponding to a 
request to set a signal to green, where the state of the signal is represented 
by another (or several) Boolean variables. The next step function would 
then set, in case the request was made and it is safe to set a signal to green, 
actually set that variable so that the signal is green. In the CSP approach, 
the units in a railway interlocking system are defined instead as processes, 
which communicate with each other. In Kanso’s approach these processes 
would be translated into states of Boolean variables, and the next commu¬ 
nications possible in the process world would correspond to computing the 
variables representing the next state from the current one. In the ladder logic 
approach everything is deterministic. Non determinism can only be repre¬ 
sented by having input variables which decide which of the non-deterministic 
choices to carry out. 
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Chapter 



<>The Library CSP-Agda 


In this chapter we will first introduce the way of defining label where processes 
depend on it (Sect. 5.1). Then we show how to add a monad structure to CSP 
(Sect. 5.2). Then (Sect. 5.3) we show how to represent CSP processes in Agda 
in a coalgebraic way. Then we develop the representation of CSP operators in 
CSP-Agda: sequential composition or monadic bind (Sect. 5.5), the recursion 
operator (Sect. 5.6), STOP, SKIP, Terminate, and DIV (Sect. 5.7), prefix 
(Sect. 5.8), internal choice (Sect. 5.9), external choice (Sect. 5.10), renaming 
(Sect. 5.11), interleaving (Sect. 5.13), hiding (Sect. 5.12), parallel operator 
(Sect. 5.14), and, finally, the interrupt operator (Sect. 5.15). 

5.1 Label Universe LUniv 

Processes depend on a set of labels. We define a type LUniv of labels together 
with an equality, proofs of reflexivity, symmetry, the transfer principle, a show 
function, and a list of labels, intended to be the list of all labels available 
(see hie labelUniv.agda, Appendix A.51). The transfer principle expresses 
that if we have any predicate on labels, two labels l and l' and a proof 
that they are equal, then we can transfer an element of Q l to Q l!. Since 
the set of labels will be in our setting finite, one could have used as well the 
intensional equality together with a proof that it is decidable. Decidability of 
equality is needed, since when simulating a CSP program, one needs to decide 
which process to continue with after an external choice has been provided to 
the process. The component sym==lf can actually derived from transf and 
refl==l. T, which was introduced in SubSect. 3.2.6, was renamed to T', in 
order to avoid conflicts with imported libraries: 

record LUniv : Set! where 
field 

Labelf : Set 
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==lf : 
refl==lf 
sym==lf 
transf 

showLabelf : 
LabelListf : 


Labelf — > Labelf — » Bool 
{/: Labelf} T’ (/ ==lf l) 

{/ V : Labelf} T’ (l ==lf l’) -+ T’ (V ==lf l) 
{l V : Labelf} — » (Q : Labelf — > Set) 

->■ T’ (Z==lf V)-> Q lQV 
Labelf —> String 
List Labelf 


For type inference purposes it is better to introduce a separate type of 
labels for an element of LUniv - otherwise Agda is not able to guess which 
element of LUniv is chosen: 

data Label (lu : LUniv) : Set where 
lab : LUniv.Labelf lu —>■ Label lu 

We now transfer the operations from LUniv to Label: 

_==L : {lu : LUniv} —> Label lu —> Label lu —$■ Bool 
_==!_ { lu } (lab x ) (lab y) = LUniv._==lf_ lu x y 


refl==l : {lu : LUniv} {/ : Label lu} —> T' (l ==l l) 
refl==l {lu} {lab x} = LUniv.refl==lf lu {x} 

sym==l : {lu : LUniv} {/ 1’ : Label lu} T’ (/ ==l V) T’ {V ==\ l) 
sym==l {lu} {lab x} {lab y} p = LUniv.sym==lf lu {x} {y} p 

transfLu : {lu : LUniv}(Q : Label lu — > Set) {/ V : Label lu} 

T’ (/==l I s )Ql^ QV 
transfLu {lu} Q {lab 1} {lab F} IV q = 

LUniv.transf lu {/} {/’} (X x —> Q (lab x)) IV q 

_==l : {lu : LUniv} — )■ Label lu — > Label lu —>• Set 

_==l_ {lu} 11’ = T (_==l_ {lu} l V) 

showLabel : {lu : LUniv} —> Label lu — > String 
showLabel {lu} (lab x) = LUniv.showLabelf lu x 


Label List : (lu : LUniv) —> List (Label lu) 

LabelList lu = map (X x —> lab x) (LUniv.LabelListf lu) 
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labelBoolFunToString : {lu : LUniv} — >■ (Label lu —> Bool) — > String 
labelBoolFunToString {lu} f = unlines (map (showLabel {lu}) 

(filter / ( LabelList lu))) 

labelLabelFunToString : {lu : LUniv} —> (Label lu —> Label lu) —» String 
labelLabelFunToString {lu} f = " [[" 

-H-s unlinesWithChosenString ", " 

(map (X l —>■ showLabel {lu} (/ 1) 

+Fs " <- " +Fs showLabel {lu} l) 

( La bel List lu)) 

+Fs "]]" 

As an example we define a set of labels having three labels (defined in hie 
label.agda, Appendix A.49). 

data LabelSimple : Set where 
laba labb labc : LabelSimple 


trl : {l V \ LabelSimple} — >• (Q : LabelSimple — >• Set) 
— > T’ (l ==lsimpl V ) —> Q l —)• Q r 
trl {laba} {laba} Q t q = q 
trl {laba} {labb} Q () q 
trl {laba} {labc} Q () q 
trl {labb} {laba} Q () q 
trl {labb} {labb} Q t q = q 
trl {labb} {labc} Q () q 
trl {labc} {laba} Q () q 
trl {labc} {labb} Q () q 
trl {labc} {labc} Q t q = q 


symLabelSimple : {l V \ LabelSimple} — > T’ (l ==lsimpl l’) 
—>■ T’ ( l’ ==lsimpl l ) 
symLabelSimple {laba} {laba} tt = tt 
symLabelSimple {laba} {labb} () 
symLabelSimple {laba} {labc} () 
symLabelSimple {labb} {laba} () 
symLabelSimple {labb} {labb} tt = tt 
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symLabelSimple {labb} {labe} () 
symLabelSimple {labe} {laba} () 
symLabelSimple {labe} {labb} () 
symLabelSimple {labe} {labe} tt = tt 

Isimple : LUniv 

Labelf Isimple = LabelSimple 

_==lf_ Isimple = _==lsimpl_ 

refl==lf Isimple {/} = refl==lsimpie {} 

showLabelf Isimple = showLabelSimple 

LabelListf Isimple = LabelListSimple 

transf Isimple = trl 

sym==lf Isimple {/} {/} = symLabelSimple {/} {/} 


5.2 Monadic Composition in CSP-Agda 

In standard process algebras, if a process terminates, it does not return any 
information except for that it terminated. 1 We want to define processes in 
a monadic way in order to combine them in a modular way. Therefore, if 
processes terminate, they should return some additional information, namely 
the result returned by the process. 

In functional programming, a monad is given by a functor M together 
with morphisms 3>= :Mi->(i4MB)-fM]l and return : A —>• M A 
such that the following laws hold: 

return a 3>= / = f a 

p return = p 

(p »=/)»=£ = p »= (Ax./ x »= g) 

The type of interactive programs can be considered as a monad in the 
following way: 

• For a given set A, (M A) is the set of interactive programs, which may 
or may not terminate, and if they terminate, they will return a result 
a : A. 

• Assume P is program in (M A), and Q is a function, which for a : A 
returns a program in (M B). Then P ^>= Q is the program, which 

^ee below for a discussion on terminated processes vs terminating events as they occur 
in CSP. 
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executes as follows: First P is executed. If P terminates with result a 
then we continue executing (Q a). The result of the whole process is 
the result of (Q a) (if it terminates). 

• The program (return a ) will terminate without any interaction with 
result a. 

Processes in our approach are similar to interactive programs. They are 
defined using an atomic operation, which corresponds to a one step inter¬ 
action in interactive programs, and describes the next transition a process 
can make. We have the terminated process (terminate a) which plays the 
role of (return a) in interactive processes. We can monadically combine 
processes in a similar way as what we can do with interactive programs. 
Since processes can loop for ever, they are defined coinductively - again the 
same occurs when representing interactive programs in Agda. The standard 
CSP-operators are in our approach defined rather than atomic as in process 
algebras. Since processes are given coinductively, we can introduce processes 
by primitive corecursion (also called guarded recursion). The principle of 
primitive corecursion, which is enforced by Agda’s termination checker, will 
guarantee processes to be productive, which means for a process we can de¬ 
termine, whether it has terminated or not, and, in case it has terminated, 
the result returned, and, in case it hasn’t terminated, which next transitions 
it can make, and the next processes after firing these transitions. 

We note here already that laws of CSP will usually not hold with respect 
to definitional or intensional equality. We will introduce various propositional 
equalities on CSP processes later, and prove algebraic laws for CSP processes 
by referring to those semantic equalities. 

Terminated processes vs termination events. In CSP termination 
is handled by events. A process can terminate, which is modelled by an event 

with reserved label /.If P P', then P' is a deadlocked process, which is 
in all standard semantic models of CSP equal to the process STOP. A first 
step towards a monadic version of processes is that we add a return value 
to /-transitions. This is the result returned when the process terminates, 
which can be used for choosing a continuation e.g. in monadic bind. Since 

P' is equal to STOP we can omit it and just write P^-4 for P having a 
termination event with return value a. 

Adapted to the monadic setting, we have the CSP process (SKIP a) (for 

a return value a), which has as only transition SKIP a ^-4. We want to have 
as well a terminated process (terminate a) with result a, which is our name 
for the monadic (return a), (terminate a) is very similar to (SKIP a), except 
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that (terminate a) has terminated, whereas (SKIP a) will terminate. 

If we lift (§) to a monadic S>= we get SKIP a^=Q — — >■ Q a, whereas 
we want dehnitionally terminate a'^>=Q = Q a without a r-transition. Se¬ 
mantically this doesn’t make a difference, since in the various semantics of 
CSP we have r —> P = P. When using it, it makes a difference, since when 
composing processes we don’t want a r-transition in between. 

Because of the equation r — >P = P, we could use (SKIP a) for (terminate a 
and optimise the rules to guarantee SKIP a'^>=Q = Q a. However, this 
makes the code very complex. Experience shows, that a lot of care needs to 
be taken in Agda when writing programs, because otherwise verification be¬ 
comes very complex, since it needs to deal with any special cases introduced 
when defining the programs. Therefore, it seems to be a better approach to 
have a separate process (terminate a). That process will be in CSP semantics 
equal to (SKIP a). When defining CSP operators applied to arguments, we 
define it for the argument (terminate a) in the same way as for the argument 
(SKIP a). However, if the result is a process, which has only one r-transition 
to a process P, we return instead, when the argument is (terminate a), di¬ 
rectly process P without the r-transition. So we have two kinds of terminated 
processes in CSP-Agda. One is the result of following a termination event 
/, and one is the new terminated process (terminate a). 

A process which terminates behaves as well differently from (terminate a): 

/ r 

in CSP, if P — >P' then P%Q —i.e. a r-transition is needed before passing 
on control to Q. This should be reflected as well in CSP-Agda, whereas we 
want that the equation (terminate a) ^$>— Q = Q a holds without any r- 
transition in between. Semantically, this doesn’t make a difference, since in 
CSP we have r —> P = P. However, when actually running processes we 
don’t want to have this r-transition. 

This is needed, since when modelling recursion or composition we want to 
be able to continue without a r-transition with the next process. One could 
argue that in CSP-semantics r — > P = P, but when composing processes in 
a modular way you do not want to introduce artificial r-transitions. 

One could say that (terminate a) is process, which immediately termi¬ 
nates, and passes immediately control to any other processes. For composing 
processes in a modular way one uses (terminate a). 

When modelling CSP-operators, we will model the operational rules of 
CSP. We will treat terminate similar to a process, which issues a termination 
event, except that we force this termination event to be executed - so other 
processes cannot execute an external or internal choice operation before we 
have dealt with this /-transition. Furthermore we pass immediately control 
to other processes without requiring a r-transition. This seems to be the 


o 


-o 




83 


5. The Library CSP-Agda 

o-o 


right approach to guarantee monadic compositionality. 

Finally, we note that in CSP a process can allow both /-transitions and 
external choices and internal choices, and we will model this in CSP-Agda 
as well. 


5.3 Representing CSP Processes in Agda 

In a monadic version, a process P : Process A is either a terminating process 
(terminate a), which has return value a : A, or it is process (node P), which 
progresses. Here P : Process-|- A, where (Process-p A) is the type of 
progressing processes. A progressing process can proceed at any time with 
labelled transitions (external choices), silent transitions (internal choices), or 
/-events (termination). After a /-event, the process becomes deadlocked, 
so there is no need to determine the process after that event. However, as 
discussed before we will add a return value a : A to /-events. 

Elements of (Process-p A) are therefore determined by 

(1) an index set E of external choices and for each external choice e the 
Label (Lab e) and the next process (PE e); 

(2) an index set of internal choices I and for each internal choice i the next 
process (PI i ); and 

(3) an index set of termination choices T corresponding to /-events and 
for each termination choice t the return value PT t : A. 

One might consider reducing the number of components by unifying the 
choice sets and adding r and / to the set of labels. However, the operators of 
CSP handle external, internal, and termination transitions quite differently. 
If we encoded them as one choice set, we would for each operator have to 
select the choices corresponding to these categories, form the new choices 
and recombine them. Keeping them as separate entities makes programming 
and then verification much easier. 

We define (Process-P A) as a record. Definition of elements of it by 
copattern matching is very convenient, since it avoids the need to define the 
components of (Process-p A) as auxiliary functions as one would have to do 
when using data. 

Processes need to be defined coinductively instead of inductively - other¬ 
wise processes would always after finitely many transitions eventually termi¬ 
nate. Processes will therefore be defined by primitive corecursion or guarded 
recursion. The left hand side of a primitive corecursion scheme needs to 
have an observation applied to the element of the coinductive type to be 
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defined. We conld do this using (Process-1- A). However, this would mean 
that for defining a process by primitive corecursion, we need to define all 
the 7 components. It seems to be natural to define processes by primitive 
corecursion where we want to equate the result of applying an eliminator to a 
process directly with a process formed from other processes, without having 
to define all 7 components. Because of this we introduce a third type of pro¬ 
cesses, (Processoo A), which has a observation forcep returning an element 
of (Process A). 

We will develop a simulator for processes, which displays the evolving 
of processes following external and internal choices. The simulator needs to 
display processes as strings. Since processes are infinite objects, we cannot 
directly compute such finite strings. The solution is to add a new field Str-p 
to (Process-p A), which determines the string. That string needs to be user- 
defined. We need to add as well a field Stroo to (Processoo A). The reason is 
that we can only use Str+ to obtain a string from an element of (Processoo A), 
if we have a smaller size available, which in general is not the case. This is 
no artificial restriction imposed by sizes: without this field it is in general 
not possible to compute a string. For instance, we could define elements of 
(Processoo A) corecursively without assigning to it a string directly. Then 
any string computed would need to be infinite. 

We model the sets of external, internal, and termination choices as el¬ 
ements of an inductive-recursively defined universe Choice. Elements c of 
Choice are codes for finite sets, and (ChoiceSet c) is the set it denotes. In 
addition we define a string (choice2Str c) representing c, and a function 
choice2Enum, which computes from c a list of all choices. This will be used 
to print a list of choices in the simulator for CSP processes. 

We require as well that the set of return values are elements of Choice. 
This allows us to print the result returned when a process terminates. How¬ 
ever, for the return types it is not needed that they are finite sets. We plan 
to introduce in future a separate universe for return values, where we only 
require that a string can be computed for each element, but drop the require¬ 
ment to compute an enumeration of its elements. Then we could have the 
set of natural numbers as a return value, which could be useful for defining 
processes by recursion over the natural numbers. 

The resulting code for processes in Agda is as follows: 


Definition 5.3.1 (Agda Definition) 
mutual 

record Processoo (i : Size) {lu : LUniv}(c : Choice) : Set where 
coinductive 
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field 

forcep : {j : Size< z} —> Process j {lu} c 
Stroo : String 

data Process (z : Size) {lu : LUniv} (c : Choice) : Set where 
terminate : ChoiceSet c —>■ Process z {lu} c 
node : Process+ i {lu} c —> Process z {lu} c 

record Process+ (z : Size) {lu : LUniv} (c : Choice) : Set where 
constructor process+ 
coinductive 
field 

E : Choice 

Lab : ChoiceSet E —> Label lu 

PE : ChoiceSet E —> Processoo z {lu} c 

I : Choice 

PI : ChoiceSet I —> Processoo z {lu} c 

T : Choice 

PT : ChoiceSet T — > ChoiceSet c 

Str+ : String 

delay : {z : Size} — » {lu : LUniv} — > {c : Choice} —*■ Process z {lu} c 
—*■ Processoo (} z) {lu} c 
forcep (delay P) = P 
Stroo (delay P) = Str P 


An example of a process is as follows: 

P = node (process+ E Lab PE I PI T PT "P") 

: Process String where 

E = code for {1,2} 1= code for {3,4} 

T = code for {5} 

Lab 1 = a Lab 2 = b PE 1 — P 1 

PE 2 = P 2 PI 3 = P 3 PI A = P A 

PT 5 = "STOP" 

The universe of choices is given by a set Choice of codes for choice sets, 
and a function ChoiceSet, which maps a code to the choice set it denotes. 
Universes were introduced by Martin-L5f (e.g. Martin-Lof [1984]) in order to 
formulate the notion of a type consisting of types. Universes are defined in 
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P 1 P 2 P 3 Pi "STOP" 

Figure 5.1: Process In CSP-Agda 


Agda by an inductive-recursive definition (Dybjer [1992, 1991, 2000], Dybjer 
and Setzer [2003]): we define inductively the set of codes in the universe 
while recursively defining the decoding function. 

We give here the code expressing that Choice is closed under fin, l±l', x', 
subset’, E’ and namedElements. Closure under other operations can easily be 
added as needed. The type (NamedElements t) is essentially (Fin (length /)). 
The function choice2Str will for elements of this set print the nth element of 
l, giving them more meaningful names. We don’t equate (NamedElements l) 
with (Fin (length /)). This facilitates type inference. 

The type subset A f is the set of a : A such that (/ a) is true. It is defined 
in Agda as follow: 

data subset (A : Set) (/ : A —> Bool) : Set where 
sub : (a : A) —> T (/ a) —> subset A f 

We could have defined Choice simply as the collection of finite sets (Fin n). 
However, then the indices of choice sets would lose connection with the actual 
types constructed. For instance in case of external choice P □ Q, in our 
setting a choice (inji x) refers to P, and a choice (inj 2 x ) refers to Q. 

data NamedElements (s : List String) : Set where 
ne : Fin (length s) NamedElements s 

mutual 

data Choice : Set where 
fin : N — » Choice 

J±l'_ : Choice — > Choice —>■ Choice 
_x : Choice — > Choice — >■ Choice 

subset’ : (E : Choice) —> (ChoiceSet E —> Bool) —> Choice 
Z’ : (E : Choice) —> (ChoiceSet E —> Choice) —>■ Choice 
namedElements : List String —>• Choice 
list : (E : Choice) (l : List (ChoiceSet E)) —>■ Choice 

ChoiceSet : Choice — >■ Set 
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ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 


(fin n) = Fin n 

( s l±)’ t ) = ChoiceSet s l±l ChoiceSet t 

(E x’ F) = ChoiceSet E x ChoiceSet F 

(Z’ A B) = T[ x E ChoiceSet A ] ChoiceSet ( B x) 

(namedElements s) = NamedElements s 

(subset’ E /) = subset (ChoiceSet E ) / 

(list E l) = ListChoiceElements E l 


data ListChoiceElements (E : Choice)(/ : List (ChoiceSet E )) : Set where 
Ice : Fin (length l) —> ListChoiceElements E l 


The constructor Z’ is not used later in the code for this thesis. It could 
be used if we wanted to have generalised operators for e.g. external internal 
choice 


: ChoiceSet c 

Then the external choice set would be 

■. ChoiceSet x ) 

which in Agda would be written as 

T\x e ChoiceSet c\(E' x) 

Here ( E ' x) is the set of external choices for (P x). 

An alternative approach could be to use NamedElements which allows 
introducing customary names for each element. But that might be computa¬ 
tionally expensive because it would for instance in case of the product require 
to map elements of Fin (n x m) to Fin (n) x Fin (m). Therefore we believe 
that our approach is a good choice. 

Some remarks on our design decisions: In original CSP termination is 
modelled by a transition labelled with the special termination event /, after 
which no longer any transitions are possible. This means that a process might 
have both labelled/silent transitions, and can terminate at the same time. 
The process (terminate a) is a process, which has terminated, and having the 
possibility to terminate will be modelled in our setting by a r-transition to 
the process (terminate a). 

We allow both the internal choice set and external choice set to be empty, 
in this case the process deadlocks. Note that this is a process different from 
the process (terminate a), which terminates explicitly. 

(Lab P) can return the same value for different elements of (Lab P ), 
therefore a process can have several transitions with the same label. This 
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is in accordance with CSP. One conlcl instead demand that for each label 
there is at most one transition possible, and replace processes having several 
transitions with the same label by one, which has one transition followed by 
silent transitions to the different choices. 

5.4 Three Kinds of Termination of Processes 

There are three kinds of versions of termination in CSP-Agda: 

• The terminated process (terminate a), which has terminated. When 
monadically composed with another process Q, it will definitionally 
reduce to (Q a). 

• The process which can make a r-transition to (terminate a). This 
process can choose to make a transition. This process is actually in all 
semantics equal to (terminate a). Since r—> is equal to P. However, 
processes can have r-transitions to (terminate a) and as well other 
internal, external choices or termination events. 

• The process which can make a termination event with value a. This 
process will according to the rules of CPS behave different from a pro¬ 
cess with r-tansition to (terminate a): When combined using the inter¬ 
leaving with another process, the termination event can only be exe¬ 
cuted in sync with a termination event of the other processes, whereas 
r-transitions can be executed independently of each other. 

We note here that it is possible for a process to have both internal choices 
and termination event. An example would be SKIP □ P where P —> SKIP 
(e.g. P is the result of hiding a from a —» SKIP). It has a r-transition to 
SKIP □ SKIP and a /-event. 

5.5 Sequential Composition 

In CSP the semi-colon operator (§) is used for sequencing two processes, 
where, if the first process terminates, control is passed to a second one. The 
rules for sequential composition in CSP are as follows: 



Q p i 
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In CSP-Agda we have monadic composition P^>=Q, where 0 depends on 
the return value of P. The monadic bind (P 3>= Q ) allows to compose two 
processes P and Q while allowing the second process depend on the return 
type Co of P. So Q has an extra argument of the return type (ChoiceSet c 0 ). 

Let us consider first the version _3>=+_ where the first process is an ele¬ 
ment of set of progressing processes Process-h The transitions of (P 3>=+ Q ) 
are as follows: It follows first external and internal choices of P. If P is the 
terminated process with return type a, the process continues as process (Q a). 
A special case is a termination event in P with return value a. Following 
the operational semantics of CSP, (P 3>=+ Q ) has in this case an internal 
choice (i.e. a r-transition) to process (Q a). 

In total, (P ^>=+ Q ) has two possible internal choice events, namely 
internal choices of P and termination events of P. It has no termination 
events. 

More precisely, in P' := (P 3>=+ Q), external choices of P become 
external choices of P' using a recursive call, similarly for internal choices. 
For termination events of P with return value PT P c = a, we get additional 
internal choice transitions P' —> Q a. 

In case of the monadic bind _^>=_ on Process, we have a special case, 
when P = terminate x. In this case P 3>= Q is equal to (Q x) (one needs 
to apply forcep in order to obtain an element of Process). This is different 
from termination events for P, where a silent transition is required before 
obtaining (Q x). 

We obtain therefore in monadic form SKIP a S>= 0 — » Q a as only 
transition, (terminate a) should behave as (SKIP a), however we omit unnec¬ 
essary r-transitions. Therefore we define terminate a 3>= Q = Q a. If P has 
a /, a-event, we cannot define P ^>= Q = Q a, since P could have other 
external or internal choices. Therefore, a r-transition before continuing with 
(Q a) will be added, as it happens in original CSP. 

In case of progressing processes P 3>= 0 makes a direct call to _3>=+_. 
The function _3>=oo_ makes as well a direct call to _3>=_. 

The full definition of monadic bind is as follows: 

_^>=Str_ : {c 0 : Choice} — > String 

—> (ChoiceSet c 0 —> String) — v String 
s 3>=Str / = s -H-s "3>" -H-s choice2Str2Str / 

mutual 

_3>=oo_ : {i : Size} — > {lu : LUniv} — > {c 0 C\ : Choice} 

— y Processoo i {lu} cq 
—> (ChoiceSet cq —> Processoo i {lu} c\) 


a 


-o 




90 


5.6. The Recursion Operator 
o-o 


—>■ Processcx) i {lu} c\ 

forcep (P 3>=cxo Q ) = forcep P S>= Q 

Strcx) (P ^>=oc Q ) = Stroo P 3>=Str (Stroo o Q) 

_S>=_ : {i : Size} — »• {lu : LUniv} — y {c 0 c\ : Choice} 
—> Process i c 0 

—> (ChoiceSet c 0 —> Processoo (} i) {lu} ci) 
—> Process i c\ 

node P S>= Q = node (P 3>=+ Q) 

terminate x 3>= Q = forcep (Q x ) 

_S>=+_ : {i : Size} {lu : LUniv} — >■ {c 0 c\ : Choice} 
—>■ Process+ % c 0 

—>■ (ChoiceSet c 0 — > Processoo i {lu} ci) 

—> Process+ i c\ 


E 

(P»= 

=+ 

Q) 


= E P 


Lab 

(P>= 

=+ 

Q) 


= Lab P 


PE 

(P>= 

=+ 

Q) 

c 

= PE Pc 3>=oo 

Q 

1 

(P>= 

=+ 

Q) 


= 1 P tu’ T P 


PI 

(P>= 

=+ 

Q ) 

(inji 

c) = PI Pc 3>=oo 

Q 

PI 

(P>= 

=+ 

Q) 

(inj 2 

c) = Q (PT P c ) 


T 

(P>= 

=+ 

Q ) 


= 0’ 


PT 

(P>= 

=+ 

Q) 

0 



Str+ (P> 

=+ Q ) = Str+ P ^>=Str (Stroc 

) O Q) 


In the above code choice2Str2Str converts a function ChoiceSet c —> String 
into a meaningful string, making a case distinction on the argument. Fur¬ 
thermore, 0’ is an abbreviation for fin 0. 

We note here that sequential composition doesn’t require the use of sized 
types. However, it is important to know that it is size preserving. This allows 
to apply it in other corecursive definitions to the coinduction hypothesis 
which we will do frequently. 


5.6 The Recursion Operator 

We can define recursion in a similar way to The operation takes an 

s : String, / : ChoiceSet cq —>■ Process-)- i (co tt)' c\) and an a : ChoiceSetco 
and returns a process (rec s f a), which operates as follows: We start with 
process (/ a) and follow its external and internal choices. If it terminates 
with result (inj 2 x), the recursion terminates with result x. If it terminates 


o 


-o 




91 


5. The Library CSP-Agda 

o-o 


with result (inji a’), we recursively start again, with a replaced by a’. 

However, in case (/ x) terminates immediately, this procedure (unless 
we put a r-transition after each loop iteration) will result potentially in a 
black hole recursion. To avoid this we require f x : Process-p, which is the 
type of processes, which have not terminated. Because of this, the result 
of rec is productive. We have an argument s, which is the name of the 
resulting process, since an automatically generated name would in most cases 
be unreadable. 

The Agda code is as follows ((renameP name P) renames the Str+ com¬ 
ponent of process P to name)-. 

mutual 

rec : {i : Size} — >■ {lu : LUniv}{c 0 c± : Choice} 

—» (s : String) 

—>■ (ChoiceSet c 0 —> Process-P (} i) {lu} (c 0 l±l' Ci)) 

—» ChoiceSet c 0 
—> Processoo i {lu} c\ 
forcep (rec s f a) = renameP s 

(/ a 3>=+p recaux s f ) 

Stroo (rec s f a) = s 

recaux : {i : Size} — » {lu : LUniv}{c 0 c\ : Choice} 

—>■ (s : String) 

—> (ChoiceSet c 0 —>• Process-1- (} i) {lu} (c 0 W’ Ci)) 

—> (ChoiceSet c 0 l±) ChoiceSet ci) 

—> Processcxa i {lu} c\ 
recaux s f (inji x) = rec s f x 
recaux s f (inj 2 x) = delay (terminate x ) 


recStr : {lu : LUniv}{c 0 : Choice} 

—>■ (ChoiceSet Co —> String) 

—*■ ChoiceSet cq —)■ String 

recStr f a = "rec(" -PPs choice2Str2Str / -PPs -PPs choice2Str a ~PPs ")" 

Here delay lifts an element of Process to Processoo: 

delay : {i : Size} — {lu : LUniv} — > {c : Choice} — Process i {lu} c 
—> Processoo (} i) {lu} c 
forcep (delay P) = P 
Stroo (delay P) = Str P 
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5.7 STOP, SKIP, Terminate, DIV 

The STOP process in CSP is the deadlocked process, which refuses all com¬ 
munication. It has no transition rule. It can be modelled as a process, which 
has empty external, internal and termination choice sets 0'. The compo¬ 
nents Lab, PE, PI, PT have as domain the empty set, and can be given by 
the function efq (for ex falso quodlibet) which is defined by the empty case 
distinction, as denoted by (). The name of STOP is "STOP". 

efq : {A : Set} — * Fin 0 — > A 
efq () 

STOP+ : {i : Size} —>• (c : Choice) { lu : LUniv} —> Process-P i {lu} c 
STOP-p c = process-P 0' efq efq 0' efq 0' efq "STOP" 

STOP : {i : Size} — >■ (c : Choice) — > {lu : LUniv} — > Process i {lu} c 
STOP c = node (STOP-P c) 

STOPoo : {i : Size} — > (c : Choice) — >■ {lu : LUniv} — > Processoo i {lu} c 
forcep (STOPoo c) = STOP c 
Stroo (STOPoo c) = "STOPoo" 

The CSP process SKIP terminates immediately. Its only transition is 

SKIP aL, stop 

In CSP we have that SKIP § P —^ P instead of SKIP § P = P. Therefore 
SKIP is not the process (terminate a) but a process, which has no external 
or internal choices and only one / choice with a given return value. Let 
T’ = fin 1 be the one element choice set. SKIP is defined as follows: 

SKIP+ : {i : Size} — > {c : Choice} — > (a : ChoiceSet c) 

—> {lu : LUniv} —* Process-P i {lu} c 
SKI P-P a = process-P 0’ efq efq 0’ efq T' (A _ —!• a) 

("SKIP(" -pps choice2Str a -H-s ")") 

SKIP : {i : Size} — >• {c : Choice} — >* (a : ChoiceSet c ) 

{lu : LUniv} Process i {lu} c 
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SKIP a = node (SKIP+ a ) 

SKIPoo : {i : Size} — >■ {c : Choice} — >■ (a : ChoiceSet c) 

—> {lu : LUniv} —> Processoo i {lu } c 
forcep (SKIPoo a) = SKIP a 

Stroo (SKIPoo a) = ("SKIPooC -PPs choice2Str a -PPs ")") 

We have as well the terminating process given by 

terminate: {i : Size} — > (c : Choice) — >• (a : ChoiceSet c) 

—> Process+ i c 

Direct divergence in the sense of black hole recursion does not occur in 
CSP-Agda, since productivity is guaranteed by Agda’s termination checker. 
Note that in case of recursion, productivity is guaranteed by referring to the 
type of not-terminated processes Process-1-. However one can easily define a 
process, which has infinitely many r transitions to itself: 

mutual 

DIVoo : {i : Size}{ht : LUniv} — >• {c : Choice} — >• Processoo i {lu} c 
forcep DIVoo = DIV 
Stroo DIVoo = "DIV" 

DIV : {i : Size}}/?/ : LUniv} — >■ {c : Choice} — >■ Process i {lu} c 
DIV = node DIV+ 

DIV+ : {i : Size}}/?/ : LUniv} — > {c : Choice} —> Process-1- i {lu} c 
DIV+ = (process-1- 0’ efq efq T’ (X _ —» DIVoo) 0’ efq "DIV") 


5.8 Prefix 

The prefix operator a —> P has only one transition 

(a —> P) —% P 

So it is the process with one external choice with label a and continuation 
P, and empty internal and /-choices: 

_—^Str_ : {lu : LUniv} —> Label lu — » String —>• String 
/ — j-Str s = " (" -pps showLabel / -PPs " — > " -H-s s -PPs ") " 
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->•+_ : {i : Size} — > {c : Choice} — > {lu 
—> Processoo i c -> Process+ i c 


LUniv} — > Label lu 


E 

(l- 

— 

P) = 

T’ 

Lab 

[l- 

— 

P) c = 

l 

PE 

[l- 

— 

P) c = 

P 

1 

[l- 

— 

p) = 

0’ 

PI 

[l- 

— 

P){) 


T 

(*- 

—>+ 

P) = 

0’ 

PT 

(*“ 

—>+ 

P)() 


Str+ (l 

—»- 

f P) = 

l - 




Size} 

-> 


^Str Stroo P 


lu 


—> Processoo i c -> Process i c 
P = node (l — >•+ P ) 


5.9 Internal Choice 

The CSP offer the internal operator to leave the choice in the hands of the 
process. Here the environment does not have any authority to choose. We 
will here formalise internal choice operators. The internal choice operator 
has the following transitions: 

PH Q P PH Q Q 

It is modelled in CSP-Agda by having as internal choice set bool and 
otherwise empty choices: 

_FlStr_ : String — > String — > String 
s nStr s’ = "(" -H-s s -H-s " n " -H-s s’ +bs ")" 


_n+_ : {i : Size} —> {c : Choice} —> {lu : LUniv} — y Processoo i {lu} c 
—> Processoo * {lu} c —> Process+ * {lu} c 
E (Pn+Q) = 0’ 

Lab (P n+ Q) () 

PE (P n+ Q) () 
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I (P n+ Q ) = fin 2 

PI (P fl+ Q ) zero = P 

PI ( P n+ Q) (sue zero) = Q 

PI (Fn+ Q ) (sue (sue ())) 

T {PH+Q) =0’ 

PT (P n+ Q) () 

Str+ ( P n+ Q ) = Stroo P flStr Stroo Q 


_n_ : {i : Size} — >■ {c : Choice} — > {lu : LUniv} — >■ Processoo i {lu} c 
—> Processoo i {lu} c — > Process i {lu} c 
P n Q = node (P n+ Q) 

_noo_ : {i : Size} —*■ {c : Choice} — > {lu : LUniv} — y Processoo i {lu} c 
—> Processoo i {lu} c —» Processoo (} i) {lu} c 
forcep (P noo Q ) {'[} = P n Q 

Stroo (P noo Q) = (Stroo P) nStr (Stroo Q ) 


5.10 External Choice 

External choice allows the environment to make the choice between the be¬ 
haviour of the processes. For instance, the process (a —> P □ b —> Q ) 
can engage in either of the events a or b. If the first event chosen was a, 
the posterior behaviour is described by P, and if it was b } the process will 
behave as Q. The inference rules for external choice are as follows (having 
an inference rule with two conclusions is an abbreviation for two inference 
rule, one deriving the first and one deriving the second conclusion): 

P^P P ^P 

PUQ^P P a Q -L). p D Q 

QDP^P Q a p -4- QUP 

Assume processes P : Process i c 0 and Q : Process i c\ and consider PnQ. 
If P or Q terminates, then P □ Q can terminate with the return value of 
that process. In case both processes are of the form terminate we need to be 
consistent with the behaviour we would have if both processes were SKIP: 
in that case the process could have two /-events corresponding to each of 
the two return values. So we get again return values in Cq or c\. The result 
returned is therefore always in cq or c\, i.e. an element of the disjoint union 
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(co W ci) of Co and ci. In case P and Q have not terminated the defining 
equations are obvious from the rules. The only problem is that we have to 
map the return values of the processes (PE P c) to the return value of P □ Q. 
We do this by using the function fmap defined below. 

If both processes terminate, as said before we obtain a process, which can 
terminate with each of two given return values. So we obtain (2-/ a b ) which 
is the process, which can make / transitions for return values (inj! a) and 
(inj 2 b ). We would prefer to return (terminate (a ,, b )), but being consistent 
with that (terminate a) should be semantically equal to (SKIP a) requires 
this choice. Here _ ,, _ s the constructor of type _x_, which is defined in 
Agda as follows: 

data _x_ (a b : Set) : Set where 

a —>• b —> a x b 

In case of (terminate a □ P) we get a more complex behaviour: (1) the 
combined process can terminate with result a; (2) it can follow an internal 
choice of P, after which the possibility having a transition as in (1) remains; 
(3) we can have a termination event of P, in which case the result returned 
is that of P; (4) we can have an external choice of P, in which case informa¬ 
tion about termination of the first process is lost. What we get is that the 
combined process behaves as P, but the return value needs to be mapped to 
the return value of the combined value. In addition, we need to add using 
addTimed/ a timed tick event, which provides the possibility of having a 

/,a 

transition —A, as long as the process hasn’t performed an external choice 
operation. We obtain the following code: 

_OStr_ : String —>■ String —>■ String 
s DStr s’ = "(" +fs s 4Ts " □ " +fs s’ +fs ")" 

mutual 

_doooo_ : {lu : LUniv}{c 0 C\ : Choice} — >■ {i : Size} 

—> Processoo i {lu} c 0 —*■ Processoo i {lu} c\ 

—>• Processoo i {lu} (c 0 l±l’ ci) 
forcep ( P Doooo Q ) = forcep P □ forcep Q 
Stroo (P noooo Q) = Stroo P DStr Stroo Q 

_Doo+_ : {lu : LUniv}{c 0 Ci : Choice} —* {i : Size} 

—> Processoo i {lu} cq — > Process-h i {lu} c\ 


a 


-o 
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—> Processoo i {lu } (c 0 l±l' c{) 
forcep (P Doo/ Q ) = forcep P Dp/ Q 

Stroo (P doo/ Q) = Strcx) P DStr Str+ Q 


_n/oo_ : {lu : LUniv}{co c\ : Choice} —> {i : Size} 

-/ Process+ i {lu} c 0 —> Processoo i {lu} c\ 

—)■ Processoo i {lu} (c 0 l±l' ci) 
forcep ( P D/oo Q) = P d/p forcep Q 

Stroo (P D+oo Q ) = Str+ P DStr Stroo Q 

: {lu : LUniv}{c 0 c\ : Choice} — > {i : Size} — > Process i {lu} Co 

—> Process i {lu} c\ —> Process i {lu} (c 0 W’ Ci) 

node P □ Q = P D+p Q 

P □ node Q = P Dp+ Q 

terminate a □ terminate b = 2-/ a b 

_D+p_ : {lu : LUniv}{c 0 c\ : Choice} —> {i : Size} 

Process+ i {lu} c 0 —* Process i {lu} c\ 

—> Process i {lu} (co W ci) 

P D+p terminate b = addTimed/ (inj 2 b) (node (fmap+ inji P) ) 

P m+p node Q = node (P □+ Q ) 


_D+oo+_ : {lu : LUniv}{c 0 C\ : Choice} — )■ {i : Size} 

—)• Process+ i {lu} Co —> Processoo i {lu} c± 

—> Processoo i {lu} (c 0 l±l' c\) 
forcep (P D+oo+ Q ) = node ( P D+p+ forcep Q ) 

Stroo ( P D+oo+ Q ) = Str+ P DStr Stroo Q 

_Dp+_ : {lu : LUniv}{c 0 c\ : Choice} — > {i : Size} — >■ Process i {lu} Co 
—> Process+ i {lu} c\ Process i {lu} (co W c\) 
terminate a Dp+ Q = addTimed/ (inji a) 

(node (fmap+ inj 2 Q) ) 
node P Dp+ Q = node (P □+ Q ) 

_□+_ : {lu : LUniv}{c 0 C\ : Choice} —> {i : Size} 

Process+ i {lu} c 0 —» Process/ i {lu} c,\ 

—> Process/ i {lu} (co /’ ci) 

o-o 
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E 

(P □+ Q) 

= E FW E Q 

Lab 

(P D + Q) (inji x) 

= Lab P x 

Lab 

(■P D + Q) (inj 2 x) 

= Lab Q x 

PE 

(P D + Q) (injr x) 

= fmapoo injx (PE P x) 

PE 

(P □+ Q) (inj 2 x) 

= fmapoo inj 2 (PE Q x) 

1 

( P °+ Q) 

= 1 PW 1 Q 

PI 

( P D + Q) (inji c) 

= PI Pc noo+ Q 

PI 

(P D + Q) (inj 2 c) 

= P n+oo PI Q c 

T 

{P °+ Q) 

= T P i±l' T Q 

PT 

(p n+ Q) (inji c) 

= inji (PT P c) 

PT 

(P D + Q) (inj 2 c) 

= inj 2 (PT Q c ) 

Str+ (P □+ Q ) 

= Str+ P DStr Str+ Q 


_Qoop_ : {lu : LUniv}{co c\ : Choice} —> {i : Size} 

— >• Processoo i {lu} cq Process i {lu} c\ 
—)■ Processoo i {lu} (c 0 W’ Ci) 
forcep ( P Doop Q ) = forcep P □ Q 

Stroo (P noop Q ) = Stroo P DStr Str Q 


_Dpoo_ : {lu : LUniv}{c 0 C\ : Choice} —$■ {i : Size} 

—> Process i {lu} c 0 —> Processoo i {lu} c\ 
—>■ Processoo i {lu} (c 0 W’ C\) 
forcep (P Dpoo Q ) = P □ forcep Q 

Stroo (P Dpoo Q) = Str P DStr Stroo Q 


We used here the function, which adds the possibility of terminating with 
result a, which is only available, as long as the process hasn’t performed an 
external choice: 

addTimed/Str : {c : Choice} — > (a : ChoiceSet c) 

—> String —> String 

addTimed/Str a str = " (addTimed/ " +fs choice2Str a +fs " 

" TTs str -H-s ")" 


mutual 

addTimed/ oo : V {z} —> {c : Choice} — > (a : ChoiceSet c) — > {lu : LUniv} 


o 


-o 




99 


5. The Library CSP-Agda 

o-o 


—> Processoo i {lu} c —> Processoo i {lu} c 
forcep (addTimed /oc a P) = addTimed/ a (forcep P) 

Stroo (addTimed/oo a P) = addTimed/Str a (Stroo P ) 

addTimed/ : V {z} — > {c : Choice} —» (a : ChoiceSet c) -)• {lu : LUniv} 

—>• Process i {lu} c —> Process i {lu} c 
addTimed/ a (terminate b ) = fmap unifyAWA (2-/ a b ) 
addTimed/ a (node P) = node (addTimed/ + a P) 


addTimed/ + : V {z} — > {c : Choice} — > ( a : ChoiceSet c) {lu : LUniv} 
— >■ Process+ i {lu} c 
—>• Process+ i {lu} c 
E (addTimed/ + a P) = E P 
Lab (addTimed/ + a P) = Lab P 
PE (addTimed/ + a P) s = PE P s 
I (addTimed/ + a P) = I P 

PI (addTimed/ + a P) s = addTimed/oo a (PI P s) 

T (addTimed/ + a P) = T 1 l±f T P 
PT (addTimed/ + a P) (inji ) = a 
PT (addTimed/ + a P) (inj 2 c) = PT Pc 
Str+ (addTimed/ + a P) = addTimed/Str a (Str+ P) 

The process having two tick events for two values is defined as follows: 

2-/Str : {co c,\ : Choice} —* (a : ChoiceSet cq) 

—> ( b : ChoiceSet C]) —> String 

2-/Str a b = "(2-/ "+Ls choice2Str a +Ls " " +Ps choice2Str b +fs ")" 

2-/ + : V {«} —>■ {c 0 ci : Choice} — >• (a : ChoiceSet co) 

—>■ {lu : LUniv} 

—>■ (b : ChoiceSet cj) —> Process+ i {lu} (co W ci) 

E (2-/+ a b) = 0’ 

Lab (2-/ + a b) () 

PE (2-/+ a b) Q 

I (2-/ + a b) = 0’ 

PI (2-/+ a b) () 

T (2-/ + a b) = fin 2 

PT (2-/ + a b) zero = injx a 

PT (2-/ + a b) (sue zero) = inj 2 b 


a 


o 
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PT (2-/ + a b) (sue (sue ())) 

Str+ (2-/ + a b ) = " (2-/ "-H-s choice2Str a -H-s " 

" +t-s choice2Str b -H-s ")" 

2-/ : V {i} —> {c 0 ci : Choice} —>• (a : ChoiceSet Co) —> {lu : LUniv} 

—>■ (b : ChoiceSet ci) —> Process i {lu} (c 0 l±l' ci) 

2-/ a b = node (2-/ + a b) 


2-/ oo : V {«} —> {c 0 ci : Choice} — >■ ( a : ChoiceSet c 0 ) — >■ {lu : LUniv} 
—> (b : ChoiceSet ci) —> Processoo i {lu} (co O' ci) 
forcep (2-/ oo a b) = (2-/ a b) 

Stroo (2-/ oo a b) — 2-/Str a b 


The function fmap mapping (Process i cq) to (Process i ci) by applying 
a function (/ : ChoiceSet cq —> ChoiceSet ci) to the return values can be 
defined corecursively as follows: 


fmapStr : {c 0 ci : Choice} -> (/ : ChoiceSet Co —> ChoiceSet ci) 

—> String -> String 

fmapStr / sir = "(fmap " -H-s choiceFunToStr} / -H-s " " -H-s sir -H-s ")" 


mutual 

fmapoo : {c 0 ci : Choice} 

—)■(/: ChoiceSet c 0 —> ChoiceSet ci) 

—)• {i : Size} 

—> {lu : LUniv} 

—> Processoo i {lu} cq —> Processoo i {lu} c\ 
forcep (fmapoo / P) = fmap / (forcep P) 

Stroo (fmapoo f P) = fmapStr / (Stroo P) 

fmap : {lu : LUniv}{c 0 ci : Choice} —> (/ : ChoiceSet c 0 
-H ChoiceSet ci) —>• {i : Size} 

—> Process i {lu} c 0 —> Process i {lu} ci 
fmap / (terminate a) = terminate (/ a) 
fmap / (node P) = node (fmap+ / P) 


o 


-o 
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fmap+ : {c 0 C\ : Choice} 

—>•(/: ChoiceSet c 0 —> ChoiceSet ci) 

—y {i : Size} 

—y {lu : LUniv} 

—> Process+ i {lu} c 0 —> Process+ i {lu} c,\ 
E (fmap+ f P) = E P 
Lab (fmap+ f P) c = Lab P c 
PE (fmap+ f P) c = fmapoo / (PE P c) 

I (fmap+ f P) = I P 

PI (fmap+ / P) c = fmapoo / (PI P c ) 

T (fmap+ f P) = T P 
PT (fmap+ /P)c=/(PTPc) 

Str+ (fmap+ f P) = fmapStr / (Str+ P) 


5.11 Renaming 

The renaming operator takes a process and renames the external choice labels 
by applying a function to them. It is modelled in CSP-Agda as follows: 

RenameStr : {lu : LU niv}( / : Label lu -> Label lu) —> String — >■ String 
RenameStr / s = "(" TTs s T-t-s ")" -H-s (labelLabelFunToString /) 

mutual 

Renameoo : {i : Size} —> {lu : LUniv} {c : Choice} 

—> (/ : Label lu —* Label lu) 

—> Processoo i {lu} c —> Processoo i {lu} c 
forcep (Renameoo f P) = Rename / (forcep P ) 

Stroo (Renameoo f P) = RenameStr / (Stroo P) 

Rename : {i : Size} — >■ {lu : LUniv}{c : Choice} 

—>■(/: Label lu —> Label lu) 

—> Process i {lu} c —> Process i {lu} c 
Rename / (node P) = node (Rename-I- / P) 

Rename / (terminate x) = terminate x 

Rename-|- : {i : Size} —>• {lu : LUniv}{c : Choice} 

—>•(/: Label lu —> Label lu) 


a 


o 
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—> Process+ i {lu} c —>■ Process+ i {lu} c 
E (Renamed- / P) = (E P) 

Lab (Renamed- f P) c = / (Lab P c ) 

PE (Renamed- f P) c = Renameoo / (PE P c ) 

I (Rename+ / P) = I P 

PI (Rename+ f P) c = Renameoo / (PI P c) 

T (Renamed- / P) = T P 

PT (Rename+ / P) c = PT Pc 

Str+ (Rename+ / P) = RenameStr / (Str+ P) 


5.12 Hiding 


Hiding allows to hide some external transitions and replace them by silent 
ones in order to hide them from other processes. The behaviour of the hiding 
operator is shown by the following firing rules: 


P 


P 


[ a e A\ 


P 


P 


/i ^ H)] 


P\A >P\A P\AP \ A 

In our approach we model this operator as follows (the parameter hide 
determines whether a label is hidden or not): 


HideStr : {lu : LUniv}(/ : Label lu — > Bool) — > String — > String 
HideStr / sir = "Hide " +L labelBoolFunToString / +L " " +f sir 


mutual 

Hideoo : {i : Size}{/?/ : LUniv} —>• {c : Choice} 
— » (hide : Label lu —> Bool) 

—> Processoo i {lu} c 
—> Processcxa i {lu} c 

forcep (Hidecxo / P) = Hide / (forcep P) 
Stroo (Hideoo / P) = HideStr / (Stroo P) 


Hide : {i : Size} — * {lu : LUniv} — y {c : Choice} 
— > (hide : Label lu —> Bool) 

—* Process i {lu} c 
—> Process i {lu} c 

Hide / (node P) = node (Hide+ / P) 

Hide / (terminate x) = terminate x 


o 


-o 
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Hide+ : {i : Size} — t {lu : LUniv} — > {c : Choice} 

—> (hide : Label lu —y Bool) —> Process+ i {lu} c 
—> Process+ i {lu} c 

E (Hide+ f P) = subset’ (E P) (^b o (/ o (Lab P))) 

Lab (Hide+ f P) c = Lab P (projSubset c) 

PE (Hide+ f P) c = Hideoo / (PE P (projSubset c)) 

I (Hide+ f P) = I P tfcl’ subset’ (E F) (/ o Lab P) 

PI (Hide+ f P) (inji c) = Hideoo / (PI P c) 

PI (Hide+ / P) (inj 2 c) = Hideoo / (PE P (projSubset c)) 

T (Hide+ f P) = T P 

PT (Hide+ / P) = PT P 

Str+ (Hide+ f P) = HideStr / (Str+ P ) 


Here -ib is Boolean negation. In our approach the external choice E P is 
the subset of the external choices for which is Lab P is not hidden, and the 
internal choice I P is the union of the internal choice and the subset of the 
external choice for which Lab P is hidden. 


5.13 Interleaving Operator 


The interleaving operator executes the external and internal choices of its 
arguments P and Q completely independently of each other. The CSP rules 
are as follows: 


p ^Up 






p A 


p 


Q^rP 


Q 


P III (?AP 


Q HI P^ Q 

The definition in CSP-Agda is as follows: 


Q 

P 


_|||Str_ : String String — >■ String 

s 111 Str s’ = s -H-s "III" -H-s s’ 


mutual 

_111oo_: {i : Size}}/?/ : LUniv} 

—> {c 0 Ci : Choice} 

—y Processoo i {lu} c 0 
—>■ Processoo i {lu} c\ 


a 


o 
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—^ Processoo i { lu } (c 0 x' ci) 
forcep (P 1 11 oo Q) = forcep P ||| forcep Q 

Stroo (P 1 1 |oo Q) = Stroo Pjjjstr Stroo Q 


_|||_ : {i : Size}}/?/ : LUniv} —> {c 0 c\ : Choice} —> Process i {lu} Co 
—>• Process i c\ —)■ Process i {lu} (c 0 x’ ci) 
node P HI node Q = node (P |||-H- Q ) 
terminate a ||| Q = fmap (X b —> (a ,, b )) Q 
P HI terminate b = fmap (X a —> (a ,, b)) P 

_|11oo — : {i : Size}}/?/ : LUniv} —> {co c\ : Choice} —v Processoo i {lu} cq 

—y Process+ i {lu} c\ —> Processoo i {lu} (c 0 x’ ci) 
forcep (P |||oo+ Q ) = node (forcep P |||p+ Q ) 

Stroo (P |||oo+ Q ) = Stroo P j||Str Str+ Q 

_|| |+oo_ : {i : Size}{/w : LUniv} —> {co c,\ : Choice} —» Process+ i {lu} c 0 
—y Processoo i {lu} C\ —> Processoo i {lu} (c 0 x’ ci) 
forcep (P lll+oo Q ) = node (P |||+p forcep Q ) 

Stroo (P lll+oo Q ) = Str+ P |||Str Stroo Q 

_|||p+_ : {i : Size}{/w : LUniv} {c 0 c\ : Choice} — > Process i {lu} c 0 
—> Process+ i {lu} C\ —> Process+ i {lu} {c G x’ ci) 
terminate a |||p+ Q = fmap+ (X b —> (a ,, b)) Q 
node P |||p+ Q = P |||++ Q 

_|||+p_ : {i : Size}{/n : LUniv} —>• {c 0 c\ : Choice} —s- Process+ i c 0 
—> Process i {lu} c\ —>• Process+ i {lu} {c Q x’ ci) 

P |||+p terminate b = fmap+ (X a —^ (a ,, b)) P 
P jjj+p node Q = P |||++ Q 


++_ : {i : Siz e}{lu : LUniv} — > {c 0 c\ : Choice} 
— > Process+ i {lu} Co —>• Process+ i {lu} c\ 
—)■ Process+ i {lu} (c 0 x’ ci) 


E 

(^1 

||++ 

Q) 



= EFW'EQ 

Lab 

(^1 

||++ 

Q) 

(inji 

c ) 

= Lab Pc 

Lab 

(^1 


Q) 

(inj 2 

c ) 

= Lab Q c 

PE 

(P\ 


Q) 

(inji 

c ) 

= PE Pc 11 1 oo+ Q 

PE 

(P I 

||++ 

Q) 

(inj 2 

c ) 

= P 1 1 |+oo PE Q c 

1 

(^1 

+f 

Q) 



= 1 PW 1 Q 

PI 

(^1 

+b 

Q) 

(inji 

c ) 

= PI P c oo+ Q 
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PI (P |||++ Q) (inj 2 c) = P IH+oo PI Q c 
T (P IH++ Q) =TPx' T Q 

PT (P HI++ Q) (c „ Cl ) = PT P c „ PT Q Cl 
Str+ (P |||++ Q) = Str+ P 11 |Str Str+ Q 


_|||poo_ : {i : Size}{ht : LUniv} — > {c 0 c\ : Choice} — > Process i {lu} c 0 
-+ Processoo i {lu} c\ -+ Processoo i {lu} (c 0 x’ c\) 
forcep (P 1 11 poo Q ) = P ||| forcep Q 

Stroo (P 1 11 poo Q) = Str P |||Str Stroo Q 

_|||oop_ : {i : Size}{ht : LUniv} — > {c 0 c± : Choice} — x Processoo i {lu} Co 
— > Process i {lu} C\ — y Processoo i {lu} (c 0 x' C\ ) 
forcep (P 1 1|oop Q ) = forcep P ||| Q 
Stroo (P 1 1 |oop Q ) = Stroo P |j|Str Str Q 


When processes P and Q haven’t terminated, then P \ \ \ Q will not ter¬ 
minate. The external choices are the external choices of P and Q. The 
labels are the labels from the processes P and 0. and we continue recursively 
with the interleaving combination. The internal choices are defined similarly. 
A termination event can happen only if both processes have a termination 
event. 

If one process terminates but the other not, the rules of CSP express that 
one continues as the other process, until it has terminated. We can therefore 
equate, if P has terminated, P ||| Q with Q. However, we record the result 
obtained by P. and therefore apply fmap to Q in order to add the result of P 
to the result of Q when it terminates. If both processes terminate with results 
a and b, then the interleaving combination terminates with result (a „ b). 


5.14 The Parallel Operator 

The parallel operator gives the possibility to enforce two processes to work 
together and interact through synchronous events. For each of the two pro¬ 
cesses sets of labels A, B are given. For labels, which are not in the intersec¬ 
tion, both processes can execute independently, as long as their processes are 
in A or B, respectively. For labels in the intersection, both processes need 
to synchronise on that event. The transition rules for the parallel operator 
are as follows: 


a 


o 
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P 


P 


Q^Q 


P \[A\B]\ Q —% P \[A\B}\ Q 


a e A u {/} n B u {/} ] 


--- [fie((A\j t)\b )] 

P \[A\B}\ Q^P \[A\B}\ Q 

Q \[A\B]\ P^Q \[A\B}\ P 


In CSP-Agda we define the parallel operator as follows: We assume func¬ 
tions A B \ Label —>• Bool which determine the label sets A and B as above. 
The external choices of P [ H ]|| + [ P ] Q are: 


• The external choices of c : E P, for which the label in P is in (A\B), 
i.e. such that ((A \ B ) (Lab P c)) = true. Here {A \ B) : Label —* * 
Bool is defined by (A\ B) b = true if and only if A b — true and 
B b = false. For such c the label for this external choice is the label 
of P for choice c, and the process obtained following this transition is 
the parallel construct applied to PE P c and Q. 

• The external choices of c : E Q, for which the label in Q is in (B \ A), 
with similar definitions of the label and next process obtained. 

• The combined external choices for P and Q, i.e. pairs (ei , 62 ) s.t. : 
E P and e 2 : E Q, and s.t. their labels are equal, and the labels are in 
sets A and in B respectively, i.e. 

(Lab P e\ ==l Lab Q e 2 ) A A (Lab P ei) A B (Lab Q e 2 ) = true 

Here _==l_ is Boolean valued equality on Labels, and _A_ is Boolean 
valued conjunction. The label for this external choice is the label of 
P (which is with respect to _==l_ equal to the corresponding label of 
Q). The process obtained when following this external choice is the 
parallel construct applied to the result of following the external choices 
in both P and Q. 


Furthermore 

• The internal choices are the internal choices of P and Q , and the process 
obtained when following those transitions is obtained by following the 
corresponding transition in process P or Q, respectively. 


a 


-o 
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• A termination event can happen only if both processes have a termi¬ 
nation event. If they terminate with results a and b, then the parallel 
combination terminates with result (a ,, b). Therefore the result type 
of the parallel construct is the product of the result type of the first 
and second process. 

In order to define the above we use the subset’ constructor of Choice, 
which has equality rule 

ChoiceSet (subset’ E f) = subset (ChoiceSet E ) / 

Here subset a f is the set of pairs sub a & such that a : A and b : T (fa), 
i.e. it is essentially the set {a : A \ f a = true}. We have T : Bool — >■ Set, 
such that (T true) is provable and (T false) is empty, i.e. not provable. 

The definition of the parallel operator in CSP-Agda is as follows: 

mutual 

_[_]||oo[_]_ : {i : Size}{hz : LUniv} —>• {c 0 c\ : Choice} 

—j- Processoo i {lu } Co 
—> (A B : Label lu —> Bool) 

—>■ Processoo i {lu} c\ 

—)■ Processoo i {lu} (co x' c\) 

forcep ( P [ A ]||oo[ B ] Q ) = forcep P [ A ]|[[ B ] forcep Q 
Stroo ( P [ A ]||oo[ B ] Q ) = Stroo P [ A ]||Str[ B ] Stroo Q 

_[_]I! + [_]_ : V u '■ LUniv} {i : Size} —^ (c 0 c\ : Choice} 

—>■ Process-1- i {lu} cq 
—>■ (A B : Label lu —> Bool) 

—>■ Process-)- i {lu} c\ 

—)• Process-)- i {lu} (c 0 x’ ci) 

E (P [ A ]||+[ B ] Q) = subset’ (E P) ((A \ B) o (Lab P)) W’ 

subset’ (E Q ) ((B \ A) o (Lab Q )) tt)' 

subset’ (E P x’ E Q ) 

(^ {(ei „ e 2 ) 

—>■ Lab P e\ ==l Lab Q e 2 A A (Lab P ei) A B (Lab Q e 2 )}) 


Lab 

(P[ 

A 

]| 

l+[ 

B ) 

Q) 

(inji (inji 

(sub 

CP ))) = 

Lab P c 


Lab 

(^[ 

A 

]l 

l+[ 

B } 

Q) 

(inji (inj 2 

(sub 

cp))) = 

Lab Q c 


Lab 

(P[ 

A 

]l 

l+[ 

B] 

Q) 

(inj 2 (sub 

(c 0 „ 

ci) p)) 

= Lab P c 0 


PE 

(P[ 

A 

]l 

l+[ 

B] 

Q) 

(inji (inji 

(sub 

cp))) = 

PE Pc[A] || 

oo+[ B ] Q 

PE 

(P[ 

A 

]l 

l+[ 

B] 

Q ) 

(inji (inj 2 

(sub 

cp))) = 

P [ A ]||+oo[ 

B] PE Q c 

PE 

(^[ 

A 

]l 

l+[ 

B] 

Q) 

(inj 2 (sub 

(c 0 „ 

Cl) p)) 

= PEP c 0 [A 

] °°[ B ] PE Q 
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I {P[A]\\+[B]Q) 

PI (P[A]||+[fl]Q)(inj lC ) 
PI (P [ A ]||+[ B ] Q) (inj 2 c) 
T (P[A]\\+[B]Q) 

PT (P[A]\\+[B] Q) (c 0 „ d) 
Str+ (P[A]\\ + [B] Q ) 


= I P I±J’ I Q 

= PI Pc [ A ]||oo+[ B] Q 
= P[A ]||+oo[ B] PI Q c 
= T P x’ T Q 
= (PT P c 0 „ PT Q Cl ) 

= Str+ P [ A ]||Str[ B ] Str+ Q 


When defining the parallel construct for elements of Process, we need to 
deal with the case that one of the processes is the terminated process. As 
for -||j-, one continues in this case as the other other process, until it has 
terminated. However, in case of P having terminated, only labels in the set 
(B \ A) are allowed for Q. We can therefore equate, if P has terminated, 
P [ A ]|| + [ B ] Q with Q \ (B \ A). Here for a process P' and a set of labels 
A' the process P ( A' is the process obtained by restricting the external 
transitions to those with label in A' . It is defined in Agda as follows: 


_(Str_ : {lu : LUniv} —>• String — > ( A : Label lu —>■ Bool) — t String 
str (Str A = "Restrict " +fs labelBoolFunToString A +fs " " -H-s str 


mutual 

_['oo_ : {lu : LUniv} {i : Size} — >■ {c : Choice} — > Processoo i {lu} c 
— y ( A : Label lu —>■ Bool) — >■ Processcxa i {lu} c 
forcep (P (oo A) = (forcep P) \ A 
Stroo (P (oo A) = (Stroo P) (Str A 

: {lu : LUniv} {i : Size} — > {c : Choice} — > Process i {lu} c 
— >• {A : Label lu —> Bool) — > Process i {lu} c 
terminate a \ A = terminate a 
node P \ A = node (P (+ A) 


_(+_ : {lu : LUniv} {i : Size} — >■ {c : Choice} — > Process+ i {lu} c 
—>• (A : Label lu —> Bool) —> Process+ i {lu} c 
E ( P A ) = subset' (E P ) (A o (Lab P)) 
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(P 
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A) 
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PE 

(P 

r+ 

A) 

(sub 

cp) ■■ 

= PE Pc (oo 

1 

(P 

r+ 

A) 



: 1 P 

PI 

(P 

r+ 

A) 

c 


PI Pc (oo A 

T 

(P 

r+ 

A) 



: T P 

PT 

(P 

r+ 

A) 

c 


: PT Pc 


o 


o 





109 


5. The Library CSP-Agda 

o-o 


Str+ (P A) = Str+ P pStr A 

Note that this is different from hiding: external transitions with labels 
not in A! turned into r-transitions. As for _|||_, we need to record the result 
obtained by P, and therefore apply fmap to Q in order to add the result of 
P to the result of the restriction of Q, when it terminates. 

The definition of the parallel operator for Process is therefore as follows: 

_[_]||[_]_ : {i : Siz e}{lu : LUniv} —> {c 0 Ci : Choice} 

—> Process i {lu } cq 
—> (A B : Label lu —> Bool) 

—> Process i {lu} c\ 

—> Process i {lu} (c 0 x' Ci) 

node P [ A ]||[ B ] node Q = node (P [ A ]|| + [ B ] Q ) 

terminate a [ A ]||[ B ] Q = fmap (X b —» (a ,, b )) (Q \ (B \ A)) 

P [ A ]||[ B ] terminate b = fmap (X a —> (a ,, b)) (P \ (A \ B)) 


5.15 Interrupt Operator 


The interrupt operator passes control from one process to another one at an 
arbitrary point of execution. This means that transitions in the first process 
are just performed in the first argument of the interrupt operator, whereas if 
the second process has an external transition, then the combined process exits 
to the result of that transition. If one of the two processes terminates the 
combined process terminates. As for external choice, in case both processes 
terminate we need to return a process, which can have two tick events to the 
two results. So the return value is (c 0 W’ Ci). The CSP rules are as follows: 


P 


P 


PA Q P A Q 


[p ^ A 


P A Q -4 P 


Q^Q 


PA Q p A Q 


Q^Q 

PAQ^Q 


CSP-Agda models the interrupt operator as follows: 


mutual 


_Aoooo_ : {lu : LUniv}{co c\ : Choice} — > {i : Size} 
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—>■ Processoo i {lu} Co —> Processoo i {lu} c\ 
—» Processoo i {lu} (c 0 O' Ci) 
forcep (F Aoooo P’) = forcep P A forcep P’ 

Stroo (P Aoooo P’) = Stroo P AStr Stroo P’ 


_A_ : {lu : LUniv}{c 0 C\ : Choice} — > {i : Size} 
—> Process i {lu} c 0 —» Process i {lu} c\ 

—> Process i {lu} (c 0 O' Ci) 
node FA P’ = P A+p P’ 

P A node P’ = P Ap+ P’ 

terminate a A terminate b = 2-/ a b 

_A+_ : {lu : LUniv}{co c\ : Choice} —> {i : Size} 

—» Process+ i {lu} c 0 —>■ Process+ i {lu} c,\ 
—> Process+ i {/n} (c 0 O’ ci) 

E {PA+Q) = E F O' E Q 

Lab (F A+ Q) (inji a;) = Lab P x 

Lab (F A+ Q) (injo x) = Lab Q x 

PE (F A+ Q) (inji x) = PE F x Aoo+ Q 

PE (F A+ Q ) (injo a:) = fmapoo inj 2 (PE Q x) 

I (FA+Q) = I FO’ I Q 

PI (F A+ Q ) (inji c) = PI F c Aoo+ Q 

PI (F A+ Q ) (inj 2 c) = F A+oo PI Q c 

T (F A+ <5) =TFO’TQ 

PT (F A+ Q) (inji c) = inji (PT F c) 

PT (F A+ <2) (inj 2 c) = inj 2 (PT Q c) 

Str+ (F A+ Q ) = Str+ F AStr Str+ <5 


As before the rules in case none of the processes is (terminate a) are 
straightforward. If the first process is (terminate a) we see that the com¬ 
bined process operates liked the second process, but with the return value 
remapped, and with the addition of adding a typed tick as long as it performs 
no external choice. If the second process is (terminate a) the combined op¬ 
erator operates like the first process, with the same operations but replacing 
a timed tick by a permanently added tick. If both processes terminate then 
we get as result as for external choice a process (2-/ ab) having tick events 
for both return values. 

The type of the function add/ with the clause, which differs from addTimed/ 
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is as follows: 
mutual 

add/ co : V {i} —» {c : Choice} —> (a : ChoiceSet c) —> {lu : LUniv} 
—> Processoo i {lu} c —> Processco i {lu} c 

forcep (add/oo a P) = add/ a (forcep P ) 

Stroo (add/ oo a P) = add/Str a (Stroo P) 

add/ : V {z} —>■ {c : Choice} — >■ (a : ChoiceSet c)-^ {lu : LUniv} 

—> Process * {lu} c —> Process * {lu} c 
add/ a (terminate b ) = fmap unifyAWA (2-/ a b ) 
add/ a (node P) = node (add/ + a P) 


add/ + : V {z} — > {c : Choice} —>■ (a : ChoiceSet c )—> {lu : LUniv} 

—> Process+ i {lu} c —> Process/ i {lu} c 
E (add/ + a P) = E P 
Lab (add/ + a P) = Lab P 
PE (add/ + a P) s = add/ oo a (PE P s) 

I (add// a P) = I P 

PI (add/ + a P) s = add/ oo a (PI Ps) 

T (add/ + a P) = T’ l±l’ T P 

PT (add/ + a P) (inji ) = a 
PT (add/ + a P) (inj 2 c) = PTFc 
Str+ (add/ + a P) = add/Str a (Str+ P) 

In this chapter, we showed how to give the type theoretic interactive the¬ 
orem prover Agda the ability to model concurrent programs by representing 
the process algebra CSP in monadic form. The operators of CSP are defined 
operations, which combine processes defined from atomic operations. In the 
next Chapter, we will introduce a simulator as an interactive program in 
Agda. The simulator allows to observe the evolving of processes following 
external or internal choices. 
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«A Simulator for CSP-Agda 


We have written a simulator in Agda. It turned out to be more complicated 
than expected, since we needed to convert processes, which are infinite en¬ 
tities, into strings, which are Unitary. For instance, if a process is defined 

P 

recursively as P = a —>, one cannot extract a finite string from it directly, 
because P is an infinite object. The solution was to add string components 
to Process-)- and Processoo. The need to add it to Processoo was unexpected, 
since Process-p already seemed to have this information - however, one can 
only access it if one has a smaller size available. We needed as well to add 
a conversion of choice sets to labels and restrict result sets to choice sets to 
make them printable. 

The simulator does the following: It will display to the user the selected 
process, the set of termination choices with their return value (we don’t allow 
the user to follow them, because it will always deadlock), and allows the user 
to choose an external or internal choice as a string input. If the input is 
correct, then the program continues with the process, which is obtained by 
following that transition, otherwise an error message is returned and the 
program asks again for a choice. The simulator is implemented using a cut 
down version of the 10 library of ooAgda (Abel et al. [2017]), which makes 
use of the HS-monad. The 10 library defines a version lOConsole of the 10 
monad with console commands (putStrLn s ) for writing a string to console 
with a return type Unit, and getLine for getting user input with return type 
String. 

The simulator displays the process as a string. Then it computes and 
displays the set of /-events and their results, and of external and internal 
choices together with their labels. 

We use the function choice2Enum to compute the list of choices, which is 
defined as follows: 

choice2Enum : (c : Choice) — > List (ChoiceSet c) 
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choice2Enum (fin n) = fin20ptionO n 

choice2Enum (c 0 l±l’ Ci) = mapL (X a —> inji a) 

(choice2Enum c 0 ) -H- 
mapL (X a —> inj 2 a) (choice2Enum ci) 
choice2Enum (co x ’ c\) = concat (mapL (X a —> (mapL (X b —> (a ,, b )) 

(choice2Enum ci) )) (choice2Enum Co)) 

choice2Enum (namedElements s) = mapL (X i —» ne i) (fin20ptionO (length s)) 
choice2Enum (E’ c 0 Ci) = concat (mapL (X a —> (mapL (X b —> (a , b)) 

(choice2Enum (ci a)) )) (choice2Enum c 0 )) 
choice2Enum (subset’ E f) = gfilter (set2MaybeSubset 

(ChoiceSet E ) /) (choice2Enum E) 
choice2Enum (list E l) = mapL Ice (fin20ptionO (length l )) 


Here, the function fin20ptionO is used to create a list of elements of 
(Fin n ). It is defined in Agda as follows: 

fin20ptionO’ : (n : N) — > List (Fin n) 
fin20ptionO' zero = [] 

fin20ptionO' (sue n) = last :: mapL embed (fin20ptionO' n) 

fin20ptionO : (n : N) -* List (Fin n) 
fin20ptionO n = reverse (fin20ptionO’ n) 

The function choice2Str creates a string representing a choice, which is 
defined in Agda as follows: 

choice2Str : {c : Choice} —>■ ChoiceSet c —> String 
choice2Str {fin n} m = showN (toN m) 
choice2Str {co W' ci} (inji a) = 

"(ini " +Fs (choice2Str {c 0 } a) -H-s ")" 
choice2Str {co W' ci} (injo a) = 

"(inr " +Fs (choice2Str { C\ } a) +fs ")" 
choice2Str {c 0 x’ ci} (x „ X \) = 

"(" +fs (choice2Str {c 0 } x) +fs 

-H-s (choice2Str {ci} x{) -H-s ")" 
choice2Str {namedElements s} (ne i ) = nth s i 
choice2Str {E’ c 0 Ci} (x x , x 2 i) = 

(choice2Str {c 0 } Xi) -H-s 
-H-s (choice2Str {c\ xi} x 2 i) 
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choice2Str {subset’ E /} (sub a x) = choice2Str { E } a 
choice2Str {list E /} (Ice z) = choice2Str {E} (nth l i) 


The simulator will have a parameter display Process, which determines, 
whether the user wants to show the full process or hide it. The reason for 
this is that sometimes the strings representing processes are very big, and 
the user is interested only in performing the events. 

The simulator will operate as follows: ft will first display if displayProcess 
is true, the process. It will then check whether the process is the terminated 
process or it is stuck, i.e. has no external or internal choices. 

myProgram : V {z} —>■ ( displayProcess : Bool) {lu : LUniv} 

(c 0 : Choice) 

—>• Process oo {lu} c 0 
—>• lOConsole i Unit 
forcelO (myProgram {*} true Co P) = 

do' (putStrLn (Str P)) X _ —» 
myProgram 0 true c 0 P (proChoicels0 P ) 
(proHasSuccessfullyTerminated P) 
myProgram {z} false c 0 P = 

myProgramo false c 0 P (proChoicels0 P) 
(proHasSuccessfullyTerminated P) 

If it has terminated it displays that the program has terminated and stops. 
If it is stuck, it displays that the program is stuck and stops. Otherwise, it 
displays the termination events and external and internal choices available: 

myProgram 0 : V {z} — > ( displayProcess : Bool) (c 0 : Choice) 

{lu : LUniv} —>• Process oo {lu} c 0 
—y (has No Internal Or External Choices : Bool) 

—> (hasTerminated : Bool) 

—> lOConsole i Unit 

myProgram 0 displayProcess Co P false b = 
do (putStrLn 

("Termination-Events: " -H-s show/ P)) X _ —>• 

do (putStrLn 

("Events: " -H-s showProLab P)) X _ — > 

do (putStrLn ("Choose Event")) X _ —> 
myProgram! displayProcess Cq P 
myProgram 0 displayProcess cq P true false = 
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do (putStrLn "Program got stuck") X _ —> 
return unit 

myProgram 0 displayProcess Cq P true true = 
do (putStrLn 

"Program has successfully terminated") X _ —y 
return unit 

The user is now asked to input a string, which is compared to the options 
"quit" indicating that the user wants to stop, and "showProcess" indicating 
that the user wants to show the process: 

myProgrami : V {?} —>• ( displayProcess : Bool) — >■ (co : Choice) 

—>• {lu : LUniv} —>■ Process oo { lu } c 0 
—>• lOConsole i Unit 

forcelO (myProgrami displayProcess c 0 P ) = 

do’ getLine X s —» 

myProgram 2 displayProcess cq P s 

(s ==strb "quit") 

If the first option is taken the program quits, if the second one is chosen 
the process is displayed, otherwise the option is compared with the choices 
available, yielding a Maybe applied to the list of external and internal choices. 

myPrograrm : V {*} —> ( displayProcess : Bool) (c 0 : Choice) 

{lu : LUniv} (P : Process oo {lu} c 0 ) 

—> String —> Bool 
—>■ lOConsole i Unit 

myProgram -2 displayProcess c 0 P s true = 

do (putStrLn "exiting") X _ —> 
return unit 

myPrograrm displayProcess Co P s false = 
myProgram 3 displayProcess cq P s (s ==strb "showProcess") 


myProgram 3 : V {*} —)■ (displayProcess : Bool) (c 0 : Choice) 
{lu : LUniv} (P : Process oo {lu} Co) 

—y String —> Bool 
—)■ lOConsole i Unit 

forcelO (myProgram 3 displayProcess c 0 P s true) = 

do’ (putStrLn (Str P )) X _ —> 
myProgram 4 displayProcess cq P 
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(lookupChoice (proToE P) (proTol P) s) 
myProgram 3 displayProcess c 0 P s false = 

myProgram 4 displayProcess Cq P 
(lookupChoice (proToE P) (proTol P) s ) 

If the input was correct, the program follows the external or internal 
choice chosen by the user. Otherwise the user is asked to enter another 
choice. Note that /-events are only displayed but one cannot follow them, 
because afterwards the system would stop. 

myProgram 4 : V {z} —>• (displayProcess : Bool) (co : Choice) {lu : LUniv} 

( P : Process oo {lu} cq) 

—* Maybe ((ChoiceSet (proToE P)) l±J (ChoiceSet (proTol P ))) 
— v lOConsole i Unit 

forcelO (myProgram 4 displayProcess c 0 P nothing) = 

do’ (putStrLn "please enter a choice amongst") X 
—> do (putStrLn (showProLab P)) X _ —> 

my Program! displayProcess Cq P 
forcelO (myProgram 4 displayProcess c 0 P (just (inj 4 ext))) = 

do’ (putStrLn 

("-" -H-s showLabel (proToLab P ext) -H-s )) 

X 

myProgram displayProcess c 0 (proPToSubPrP P (inj 4 ext)) 
forcelO (myProgram 4 displayProcess c 0 P (just (inj 2 int))) = 
do’ (putStrLn "-x—>■" ) X _ —» 

myProgram displayProcess Cq (proPToSubPrP P (inj 2 int)) 

Note the occurrence of force. In the simultaneous recursive definitions of 
the programs we need at least one occurrence of force in order to guarantee 
termination. 

In CSP-Agda simulator we needed to check if the external and internal 
choice sets for the process are both empty. In case the set of choices is empty, 
we obtained that the process got stuck "Program got stuck". 

proChoicels0 : { i : Size} — > {c : Choice} — > {lu : LUniv} 

—* Process i {lu} c —* Bool 

proChoicels0 (node P) = choicelsEmpty (E P) A choicelsEmpty (I P) 
proChoicels0 (terminate x) = true 

We define as well a Boolean valued function to check if the process has 
terminated successfully or not. This function is defined as follows: 
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proHasSuccessfullyTerminated : { z : Size} — > {c : Choice} — >■ {lu : LUniv} 

—>■ Process z {/zz} c — >■ Bool 
proHasSuccessfullyTerminated (node P) = false 
proHasSuccessfullyTerminated (terminate x) = true 

The CSP-Agda simulator needs to print out the set of labels to the user, 
who should choose one of them, after which the system proceeds to the next 
subprocess. We determine the next process as follows: 


proPToSubProoo 


proPToSubProoo 

proPToSubProoo 

proPToSubProoo 

proPToSubProoo 


: V {z} —)■ {c : Choice} 

—> {lu : LUniv} 

—» (P : Process i {lu} c ) 

—> ChoiceSet (proToE P) l±) ChoiceSet (proTol P) 
—> Processoo z {lu} c 
(node P) (inji c’) = PE P c’ 

(node P) (inj 2 c’) = PI P c’ 

(terminate x) (injx ()) 

(terminate x) (inj 2 ()) 


proPToSubPrP : V {z} —>■ {j : Size< z} —)■ {c : Choice} — > {lu : LUniv} 

—>■ ( P : Process z {lu} c ) 

—>■ ChoiceSet (proToE P) l±l ChoiceSet (proTol P) 

—> Process j c 

proPToSubPrP {z} {j} {c} P c’ = forcep (proPToSubProoo {z} {c} P c’) 

Since we have different kinds of choice, like external, internal and tick 
event, we need to define a function to show these sorts. Firstly, we define a 
function, which displays the /-events, and this is defined as follows: 

show/ : { z : Size} — > {c : Choice} — >■ {lu : LUniv} 

—> Process z {lu} c —>■ String 
show/ (node P) = unlinesWithChosenString 

II II 

(mapL (X t —y (choice2Str t 
TFs ":" 

-H-s choice2Str (PT P t ))) 
(choice2Enum (T P ))) 
show/ (terminate a) = "" 
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In case of external and internal choice, we defined the following function, 
which creates a string, representing all choices: 

showProLab : { i : Size} — >• {c : Choice} — >• {lu : LUniv} 

—> Process i {lu} c —> String 
showProLab (terminate x ) = "" 

showProLab {*}{c} (node P) = unlinesWithChosenString 

II II 

((mapL (X c ’ —y extChoiceEIToName (choice2Str {E P } c’) 

“EEs " : " 

-H-s showLabel (Lab P c’)) 

(choice2Enum (E P))) 

+L 

(mapL (X c —» intChoiceEIToName (choice2Str c) 

HH-s ":" 

+ps "t") 

(choice2Enum (I P)))) 

If the user entered a displayed event accurately, the system will continue 
with the next process. Otherwise, the simulator will issue a message to inform 
the user to enter a choice among the displayed list. 

The main function for looking up of choices given by the user it the 
following function: 

lookupInEnum : {A : Set} — >• List (String x A) —)■ String — >■ Maybe A 
lookupInEnum [] str = nothing 

lookupInEnum ((str’ ,, a) :: l ) str = lookupInEnumAux a l str 

(str’ ==strb str ) 

lookupInEnumAux : {A : Set} —» A —> List (String x A) —> String —y Bool 
—> Maybe A 

lookupInEnumAux a l s false = lookupInEnum l s 
lookupInEnumAux a l s true = just a 

From this we can define the function lookupChoice as follows: 

combineEnumerations : {E I : Choice} —y List (String x ChoiceSet E ) 

—>• List (String x ChoiceSet 1) 

—> List (String x (ChoiceSet E l±J ChoiceSet I)) 
combineEnumerations {E} {/} L L’ = 

(mapL (X {( s „ c) 
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—>■ (extChoiceEIToName s ,, inji c)}) L ) 

(mapL (X {( s ,, c) — > (intChoiceEIToName s ,, inj 2 c)}) L’) 

lookupChoice .(El: Choice) —> String 

—y Maybe (ChoiceSet E l±J ChoiceSet I) 
lookupChoice E I s = lookupInEnum (combineEnumerations 

(choice2EnumWithStr E) 
(choice2EnumWithStr /)) s 

An example run of the simulator (defined in IOExampleScreenShotForTy- 
DePaper2.agda) is as follows: 


IOExampleScreenShotForTyDePaper2 

((b -» (a - STOP*)) □ (((c -» STOP*) (1 (a -» STOP*)) □ SKIP(STOP))) 

Termination-Events: (inr (inr 0)):(inr (inr STOP)) 

Events: e-(inl 0):b i-(inr (ini 0)):t i-(inr (ini l)):t 
Choose Event 
i-(inr (ini 0)) 

((b -» (a -» STOP*)) □ ((c -* STOP*) □ SKIP(STOP))) 

Termination-Events: (inr (inr 0)):(inr (inr STOP)) 

Events: e-(inl 0):b e-(inr (ini 0)):c 
Choose Event 
e-(inl 0) 

(fmap (A STOP -> (ini STOP)) (a -» STOP*)) 

Termination-Events: 

Events: e-0:a 
Choose Event 

e-0 

(fmap (A STOP (ini STOP)) STOP) 

Program got stuck 

bashar@bashar-Inspiron-N4030:~/git/papersWithSetzer/PhDThesis/Main/agda$ | 

U:**- *shell* All L29 (Shell:run) 

0he module was successfully compiled. 


nu:96*- ‘Compilation result* All LI (Agdalnfo) 


Internal choice and termination events are labelled by "i-" and "t-", 
respectively. Since it is difficult to type in on the terminal inj 1; inj 2 , we 
use the traditional names ini and inr instead. We have in the first step one 
•/-event (inr (inr 0)), one external choice (ini 0), and two internal choices 
(inr (ini 0) and (inr (ini 1). In this run the user chose one internal choice and 
then one external choice. We used a more advanced version of fmap, which 
displays a more readable string. 
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6 

CTrace Semantics for CSP-Agda 


In CSP traces of a process are the sequences of actions or labels of external 
choices, a process can perforin. Since processes in CSP are non-deterministic, 
a process can follow different traces during its execution. The trace semantics 
of a process is the set of its traces. It captures the observable behaviours of 
a process. In the next Chapter 8 we will discuss the limitations of trace 
semantics and how more refined semantics can be used to fix this problem. 

Since in CSP-Agda processes are monadic, we need to record, in case after 
following a trace we obtain a terminated process, the result returned by the 
process following this trace. So we add a possible element of the result set to 
the trace. This is a natural extension of the trace semantics of CSP, where a 
trace is list of labels, which possibly ends with a /, in case the process has 
terminated - we just add in the monadic setting to the / the result returned. 
We can use for the set of possible elements the set (Maybe (ChoiceSet c)). 
Here the type (Maybe A) has elements (just a) for a : A, denoting defined 
elements, and an undefined element nothing. So (just a ) denotes that the 
process has terminated with result a, whereas nothing means that it hasn’t 
terminated (or more precisely been determined as terminated). 

Taking this together, we obtain that traces are given by a list of labels and 
an element of (Maybe (ChoiceSet c)). We define the set of traces (Tr l m P) as 
a predicate, which determines for a process the lists of labels l and elements 
m : Maybe (ChoiceSet c), which form a trace. We define as well traces 
(Tr+ l m P ) and (Troo l m P) for processes in Process-!- and Processoo, 
respectively. 

In the trace semantics of CSP a process, which has a termination event 
has two traces, the empty list, and the list consisting of a /-event. In order 
to be consistent with CSP, we will add therefore in case of a termination 
event or terminated process two traces: the empty list together with possible 
return value nothing, and with possible return value (just a) for the return 
value a. 
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For an element of (Process+ oo c ) we obtain the following traces: 

• The empty trace without termination is a trace of any process, and we 
denote the proof by empty. 

• If a process P has external choice x, then from every trace for the 
result of following this choice, which consisting of a list of labels l 
and a possible result tick , we obtain a trace of P consisting of the 
result of adding in front of l the label of that external choice, and of 
the same possible result tick. The resulting proof will be denoted by 
(extc l tick x tr ). 

• Internal choices are ignored in traces. Therefore if a process P has an 
internal choice x, every trace of the result of following this process is a 
trace of P. The proof is denoted by (intc l tick x tr) 

• If a process has a termination event x with return value t, then the 
empty trace with termination choice (just t) is a trace of process, having 
proof (terc x). 

We are going to define the trace semantics. We note that since traces 
are finite this will be an inductive definition. Later when defining infinite 
traces we will need a coinductive definition. The definition of traces for the 
processes of Process+ is as follows: 

mutual 

data Tr+ {lu : LUniv}{c : Choice } : (l: List (Label lu)) 

—> (m : Maybe (ChoiceSet c)) 

—> (P : Process+ oo {lu} c) —> Set where 
empty : {P : Process+ oo {lu} c} —>• Tr+ [] nothing P 
extc : {P : Process+ oo {lu} c} 

— y ( l : List (Label lu)) 

—> (me : Maybe (ChoiceSet c)) 

—» (x : ChoiceSet (E P)) 

—* (tr : Troo {lu} l me (PE P x)) 

—> Tr+ {lu} (Lab P x :: l) me P 
intc : {P : Process+ oo {lu} c} 

— y (l : List (Label lu)) 

—> (me : Maybe (ChoiceSet c)) 

— y (x : ChoiceSet (I P)) 

—> (tr : Troo {lu} l me (PI P x)) 

—> Tr+ {lu} l me P 


a 
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terc : {P : Process+ oo {lu} c } 

—> (t : ChoiceSet (T P )) 

->• Tr+ {lu} [] (just (PT P t)) P 

In case of Process we need to consider the termination events: 

• The terminated process has two traces, namely the empty list of labels [] 
with termination event nothing, and the same list but with termination 
event (just x), where x is the return value. 

• The traces of a non-terminated process are the traces of the correspond¬ 
ing element of Process-h 

We obtain the following definition of the traces of Process: 

data Tr {lu : LUniv}{c : Choice } : (l : List (Label lu)) 

(m : Maybe (ChoiceSet c)) 

(P : Process oo {lu} c) — > Set where 
ter : (x : ChoiceSet c) -)• Tr {lu} [] (just x) (terminate x) 
empty : (x : ChoiceSet c) -)• Tr {lu} [] nothing (terminate x) 
tnode : {/: List (Label lu)} 

—> {x : Maybe (ChoiceSet c)} 

—> {P : Process-)- oo {lu} c} 

—* (tr : Tr+ {lu} {c} l x P) 

—> Tr {lu} l x (node P) 

Finally the traces for Processoo are just the traces of the underlying 
Process: 

Troo : {lu : LUniv}{c : Choice} (l : List (Label lu)) 

( tick : Maybe (ChoiceSet c)) 

(P : Processoo oo {lu} c) —> Set 
Troo {c} l tick P = Tr l tick (forcep P) 

In CSP, a process P refines a process Q, written ( P C Q) if and only 
if any observable behaviour of Q is an observable behaviour of P, i.e. if 
traces(Q) C traces(P): 

JZ_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

( Q : Process oo {lu} c) —>■ Set 
JZ_ {lu} {c} P Q = (/: List (Label lu)) 

—>■ (m : Maybe (ChoiceSet c)) 
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—> (tr : Tr { lu } l m Q) — ■> Tr {hz} l m P 

Two processes P, Q are equal with respect to trace semantics, written 
P = Q, if they refine each other, i.e. if traces(P) = traces(Q): 

_=_ : {lu : LUniv}{c 0 : Choice} —> (P Q : Process oo {lu} c 0 ) — > Set 
P=Q=P\ZQx Q\ZP 


7.1 Proof of the Algebraic Laws 

In CSP there are many algebraic laws for individual operators, and also con¬ 
cerning the relationships between different operators. Numerous laws are 
concerned with general algebraic properties such as commutativity and as¬ 
sociativity of operators: these properties allow a process to be composed in 
any order, the identification of zeros and units for specific operators, idem- 
potence, etc. Other laws allow process descriptions to be simplified. Many 
laws are concerned with the relationships between different operators, for 
example the expansion of a parallel into a prefix choice process. We will 
present examples of how to prove algebraic laws of CSP in Agda using this 
semantics. 


7.2 Proof of the Laws of Refinement 

The refinement relation is reflexive, anti-symmetric and transitive, i.e. fulfils 
the following laws: 

PHP 

E -Pi A Pi L P 0 P 0 = -Pi 
Po E Pi A P l □ P 2 ^ P 0 C P 2 

For the above relations, the definition is given by stating that if the second 
process fulfils a certain property (e.g. that tr is a trace) the first process fulfils 
it as well. They are equivalent, if refinement goes in both directions. This 
implies immediately reflexivity, antisymmetry, and transitivity. Note that 
antisymmetry is trivial, since the conclusion is defined as the conjunction of 
the two antecedents. 

Theorem 7.2.1 (Agda Theorem) 

reflT : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) —> P □ P 


o 
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transC : {lu : LUniv}{c : Choice}(P : Process oo { lu } c) 

(Q : Process oo {lu} c ) 

( R : Process oo {lu} c) -> .P (T Q — > Q \Z R —> P E. R 
antiSymC : {lu : LUniv}{c 0 : Choice} —t(PQ\ Process oo {lu} c 0 ) 
-4 PC Q-> QH P P = Q 


Proof: 

ref IIP P l m x = x 

transC P Q R PQ QR l m tr = PQ l m {QR l m tr) 

antiSymC P Q PQ QP = PQ , QP 


7.3 Proof of the Monadic Laws 

We defined processes in a monadic way, and will in this section prove the 
monad laws for processes. 

In functional programming, a monad is given by a functor M together 
with morphisms 3>= : M 1 -> (A —> M B) —> M B and return : A —* M A 
such that the following laws hold: 

return a f = f a 
p 3>= return = p 

(P >= /) >= 9 = P >= (A x.f x »= g) 

For each monadic law we have to prove 2 directions, (“□” and 
Furthermore the laws need to be shown for Process+, Process and Processoo. 
We will present only one direction and one version of the processes for each 
law. Since proofs of _=_ just follow from the left to right and right to left 
refinement, we will present this proof only for the first monadic law. 

The proof of the first monadic law is trivial since (terminate a >= P) is 
dehnitionally to P\ one could as well have used reflexivity of C and =: 

Theorem 7.3.1 (Agda Theorem) 

=monadicl_awi : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —>■ Process oo {lu} cQ} 

—>• (P a) = (terminate a 3>= P) 


O- 


o 
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o 


■o 


Proof: 

monadicLawi : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet Co) 
( P : ChoiceSet c 0 — > Process oo { lu } ci) 

—>• (terminate a 3>= P) □ P a 
monadicLawi a P l m q = q 


monadicLawiR : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet Co) 
(P : ChoiceSet Co — >• Process oo {lu} c\) 

-> FaC (terminate a 3>= P) 
monadicLawxR {cq} {cx} a P l m q = q 


=monadicLaw! : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —)■ Process oo {lu} ci) 

—)■ (P a) = (terminate a S>= P) 

=monadicl_awi {c 0 } {ci} a P = (monadicLawi a P) , (monadicLawiR a P ) 

In case of the second monadic law the proof is by induction over the 
proofs of traces for (P ^>=+ terminate), which immediately turn into traces 
of P. 

Theorem 7.3.2 (Agda Theorem) 

=monadicLaw 2 : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process oo {lu} cq) 

—> P = (P ^>= terminate) 


Proof: 

monadicLaw 2 + : {lu : LUniv}{co : Choice} (P : Process+ oo {lu} c 0 ) 
—y (P>=+ terminate) C+ P 
monadicLaw 2+ P .[] .nothing empty = empty 
monadicLaw 2+ P .(Lab P x :: l) nn (extc l .m x Xx) = 
extc l m x 

(monadicLaw 2 oo (PE P x) l m a;i) 
monadicLaw 2+ P l m (intc .1 .m x x\) = 
intc l m (inji x) 

(monadicLaw 2 oo (PI P x) l m xi) 
monadicLaw 2+ {lu} {cq} P .[] .(just (PT P x)) (terc x) = 


<y 
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intc [] (just (PT P x)) (inj 2 x) 
(lemTrTerminateBind c 0 P x) 


=monadicLaw 2 : {lu : LUniv}{c 0 c\ : Choice} ( P : Process oo { lu } c 0 ) 

—>■ P = (P 3>= terminate) 

=monadicLaw 2 {lu} {c 0 } {ci} P = (monadicLaw 2 R P ) , (monadicLaw 2 P) 

The proof of the third monadic law is by induction over the proofs 
of traces for (P 3>=+ ( Q ^>=+ R)). In most cases the proof of traces 
carry over after applying the induction hypothesis. One special case if 
the first process P has a termination event, which results in an internal 
choice to Q x 3>= R on both sides. In this case the traces are essen¬ 
tially the same, but only after applying forcet. We use here an operation 

monadPT+ : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process-)- oo {lu} c 0 ) 

( Q : ChoiceSet Co —* Process oo {lu} c ,\) 

—> ( R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

—> (y : ChoiceSet (T P )) 

—> (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—¥ (a; : Troo l m (PI (P 3>=+ (X x —> Q x S>= R)) (inj 2 y))) 

—> Troo l m (PI (P 3>=+ Q) (inj 2 y) 3>=oc R) 
monadPT-l- {lu} {co} {ex} {c 2 } PQRylmtr=tr 

which is modulo an application of forcet equal to tr. There are no immediate 
termination events, and therefore no proofs of traces of the form (terc x). We 
use efq (ex falso quodlibet), which constructs from an element of the empty 
set an element of any set, for dealing with this case. The resulting theorem 
and proof is as follows: 

Theorem 7.3.3 (Agda Theorem) 

=monadicLaw 3 : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —>• Process oo {lu} c\) 

( R : ChoiceSet c\ —>• Process oo {lu} c 2 ) 

-p ((P >= Q)»= H)e(P»= (W^Qx»= R)) 

Proof: 

monadicLaw 3+ : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process-1- oo {lu} c 0 ) 


a 
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( Q : ChoiceSet Co —>■ Process oo { lu } ci) 

( R : ChoiceSet c\ —>• Process oo {lu} c 2 ) 

—)• ((P ^>=+ Q ) 3>=+ i?) T-|- 

(P >=+ ( X x —» Q x 3>= i? )) 
monadicLaw 3+ P Q R .[] .nothing empty = empty 
monadicLaw 3+ P Q R .(Lab P x :: /) m (extc l .m x x \) = 
extc l m x 

(monadicLawoo P Q R l x m x i) 
monadicLaw 3+ P Q R l m (intc .1 .m (inj x x) Xi) = 
intc l m (inji (inji x)) 

(monadicLaw 3 oo (PI P x) Q R l m xi) 
monadicLaw 3+ P Q R l m (intc .1 .m (inj 2 y) x\) = 
intc l m (inji (inj 2 y)) 

(monadPT+ P Q R y l m x i) 
monadicLaw 3+ P Q R .[] .(just (PT 

( P 3>=+ (X x —>• Q x S>= R)) x)) (terc x) = efq x 

=monadicLaw 3 : {lu : LUniv}{c 0 C\ c 2 : Choice} ( P : Process oo {lu} c 0 ) 
( Q : ChoiceSet Co —>■ Process oo {lu} ci) 

( R : ChoiceSet ci —*■ Process oo {lu} c 2 ) 

-> ((p >= g)>= R) = {P »= (X x -)■ Q x »= R)) 

=monadicLaw 3 {lu} {c 0 } {ci} {c 2 } P Q R = (monadicLaw 3 P Q R) , 

(monadicLaw 3 R P Q R) 


We prove now a law which expresses STOP § P = STOP: if we compose 
the STOP process with any process we get the STOP process back. The proof 
of this law is as follows: 

stopSeq : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —*■ Process oo {lu} cq) 

->■ (STOP c 0 >= P) C STOP c 0 
stopSeq a P .[] .nothing (tnode empty) = tnode empty 
stopSeq a P .(efq _ :: /) m (tnode (extc l .m 0 *)) 
stopSeq a P l m (tnode (intc .1 .m 0 *i)) 
stopSeq a P .[] .(just (efq _)) (tnode (terc ())) 


Theorem 7.3.4 (Agda Theorem) 

=stopSeq : {lu : LUniv}{co : Choice} (a : ChoiceSet cq) 


o 
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(P : ChoiceSet c 0 —> Process oo {lu} Co) 

-> STOP c 0 {lu} = (STOP c 0 {lu} >= P ) 


Proof: 

=stopSeq : {lu : LUniv}{co : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} c 0 ) 

-»• STOP c 0 {lu} = (STOP c 0 {lu} >= P) 
=stopSeq a P = (stopSeqr a P) , (stopSeq a P ) 


7.4 Proof of Commutativity of the Interleav¬ 
ing Operator 

The interleaving combination (P \\\ Q ) executes each component completely 
independent of the other, until termination. Traces of the interleaving com¬ 
bination P HI Q will, therefore, appear as interleavings of traces of the two 
component, and therefore it is easy to see that (.P ||| Q) and (Q ||| P ) are 
trace equivalent. 

However, because of the monadic setting, for most algebraic laws the 
return types of the left and right hand side of an equation are different. 
Assume the return types of P and Q are Co and Ci, respectively. Then for 
instance the return type of (P ||| Q) is (c 0 x’ ci) whereas the return type of 
(<5||| P) is (ci x’ c 0 ). 

Therefore the algebraic laws hold only modulo applying an adjustment 
of the return types using the operation fmap, which applies a function to the 
return types. 

Once we have taken this into account, a proof of commutativity of _|||_ 
is obtained by exchanging the external/internal/termination choices, which 
means swapping inji and inja- Here inji refers to choices in the first and inj 2 
to choices in the second process. 

We give here the main case referring to Process+ (swapx swaps the two 
sides of a product): 

S111T : {lu : LUniv}{c 0 c\ : Choice} (P : Process-1- oo {lu} Co) 

( Q : Process-1- oo {lu} c\) 

-> (P |||-H- Q) C+ (fmap+ swapx (Q |||-H- P)) 

S 111 T P Q .[] .nothing empty = empty 
S 111 T PC,). (Lab Q x :: l) m (extc l .m ( i n j x x ) q ) = 
extc l m (inj 2 x)(S|||+oo P (PE Q x) l m q) 
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S| 1 1+ P Q .(Lab P x :: /) m (extc l .m (inj 2 x) q) = 
extc l m (inji x)(S|j|oo+ (PE P x) Q l m q) 

S|||+ P Q l m (intc .1 .m (inji x ) q) = 

intc l m (inj 2 :r)(S|||+oo P (PI Q x) l m q) 

S|||+ P Q l m (intc .1 .m (inj 2 x) q) = 

intc l m (inji x)(S|||oo+ (PI P x) Q l m q) 

S|||+ P Q ■[] .(just (PT P x „ PT Q y)) (terc (y „ x)) = 
terc (x „ y) 


Theorem 7.4.1 (Agda Theorem) 

=S111T : {lu : LUniv}{c 0 C\ : Choice} 

(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} ci) 

-)• (P |||-H- Q) =+ (fmap+ swapx (Q |||+1- P)) 


Proof: 

=S111T : {lu : LUniv}{c 0 c\ : Choice} (P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} ci) 

->• {P lll+f Q) =+ (fmap+ swapx (Q |||+1- P)) 

=S|||+ PQ= (S|||+ PQ) , (S|||+R P Q) 

7.5 Proof of Commutativity of the Parallel 
Operator 

Most cases in the proof of the commutativity of _[_]|| + [_]_ are similar to the 
proof of commutativity _|||_ - one swaps inj x and inj 2 and uses induction. 
The only more difficult case is when we have two processes synchronising, 
resulting in both processes following choices having the same labels. This 
case uses a proof that the two choices for the two processes result have the 
same label and that both labels are in the synchronised sets. We obtain in 
this case from a proof that we have a trace a proof of the Boolean conjunction: 

Lab Q x ==l Lab P x i A B (Lab Q x) A A (Lab P x i) 

which we need to transform into a proof of the Boolean conjunction 


a 


Lab P x\ ==l Lab Q x A A (Lab P x\) A B (Lab Q x) 


-o 
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We will make use of functions, which introduce and eliminate proofs of 
Boolean conjunctions, i.e. 

ABoolIntro : (a b : Bool) — > T a —> T b T (a A b) 

lemmaBool : (a b : Bool) —> T (a A b) —)■ T a 

lemmaBooIR : (a b : Bool) —> T (a A b) —> T b 

Furthermore, we make use of a proof sym of symmetry of the Boolean 
equality _==l_ on labels, and the transfer lemma 

transf : (Q : Label -► Set) (l l ’: Label ) T (/ ==l V) -A Q l -A Q V 

lemmaBool and lemmaBooIR are defined as follows: 

lemmaBool : (a b : Bool) — >■ T' ( a A b) —» T' a 
lemmaBool false b () 
lemmaBool true false () 
lemmaBool true true tt = tt 

lemmaBooIR : (a b : Bool) —> T’ ( a A b) —> T' b 

lemmaBooIR false false () 

lemmaBooIR true false () 

lemmaBooIR false true () 

lemmaBooIR true true tt = tt 

We define as well a function which eliminates a conjunction of 3 elements: 

lemmaBool’aux : (a b c : Bool) 

—y T ( o, A b A c) —y T c 
lemmaBool’aux a b c p = let 

q : T’ ( b A c) 

q = lemmaBooIR a ( b A c) p 
in lemmaBooIR b c q 


Then we apply the proof of symmetry to the equality proof and recombine 
them. Finally, we need to carry out a transfer to replace the first label 
(Lab P x i) in the trace by (Lab Q x), which are known to be equal. The 
resulting proof is as follows: 

S[||]+ : { lu : LUniv}{c 0 Ci : Choice} (P : Process+ oo { lu } c 0 ) 

(A B : Label lu —> Bool) 


a 
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( Q : Process+ oo { lu } cy) 

-> (P [ A ]|| + [ B ] Q) C+ fmap+ swapx (( Q [ B ]|| + [ A ] P )) 

S[||]+ P A B Q .[] .nothing empty = empty 

S[||]+ P A B Q .(Lab Q a :: /) m (extc l .m (inji (inji (sub a a;))) ay) = 
extc l m (inji (inj 2 (sub a x ))) (S[||]+oo P A B (PE Q a) l m ay) 

S[||]+ P A B Q .(Lab P a :: /) m (extc l .m (inji (inj 2 (sub a x))) X\) = 
extc l m (inji (inji ( su b a x))) (S[||]oo+ (PE P a) A B Q l m x\) 

S[||]+ {lu} P A B Q .(Lab Q x :: l) m (extc l .m ( i n j 2 (sub (x ,, X\) a^)) x 3 ) = 

let 

Ixlx i : T’ (Lab Q x ==l Lab Pa:i) 

Ixlx i = lemmaBool (Lab Q x ==l Lab P x\) 

( B (Lab Q x) A A (Lab P ay)) ay 

BQx : T’ ( B (Lab Q x)) 

BQx = lemmaBool ( B (Lab Q x)) ( A (Lab P ay)) 

(lemmaBooIR ((Lab Q x ==l Lab Pay)) 

(B (Lab Q x) A A (Lab P ay)) ay) 

APx x : T’ (71 (Lab Px i)) 

APx\ = lemmaBool' ((Lab Q x ==l Lab P ay)) 

( B (Lab Q x)) (A (Lab P ay)) ay 

h\lx : T’ (Lab P x\ ==l Lab Q x) 

lx\lx = sym==l {lu} {Lab Q x} {Lab P a;i} Ixlx y 


x 2 ’ : T' ((Lab P x 1 ==l Lab Q x) 

A A (Lab P xi) A B (Lab Q x)) 
ay’ = lemmaBool” (Lab Pay ==l Lab Q x) 
(yf(Lab P a;i)) (B (Lab Q x)) 
lx\ lx APx\ BQx 


auxproof : Tr+ (Lab Pay :: 1) m 
(P[A]\\+[B]Q) 

auxproof = extc l m (inj? (sub (ay ,, x) ay ; )) 

(S[||] ococ (PE P x\) A B (PE Q x) l m x%) 


o 


auxproof 7 : Tr+ (Lab Q x :: 1) m (P [ A ]| | + [ B ] Q ) 


o 
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auxproof ’ = transfLu {lu } (X V —> Tr+ ( l’ :: l ) 
m(P[A]\\ + [B] <2)){Lab P aq} 

{Lab Q x } lx\ lx auxproof 

in auxproof’ 

S[| |]T P A B Q l m (intc .1 .m ( inj x x) xf) = 

intc l m (inj 2 x) (S[| |]+oo P A B (PI Q x) l m x i) 

S[| |]T P A B Q l m (intc .1 .m (inj 2 y) xf) = 

intc l m (inji y ) (S[||]oo+ (PI P y) A B Q l m x\) 

S[| |]+ P A B Q .[] .(just (PT P x i ,, PT Q x)) (terc ( x ,, £i)) = terc (xi ,, x) 


Theorem 7.5.1 (Agda Theorem) 

=S[||]+ : {lu : LUniv}{c 0 Ci : Choice} 

(P : Process+ oo {lu} Co) 

[A B : Label lu —>• Bool) 

( Q : Process+ oo {lu} ci) 

~+{P[A ]||+[ B] Q)=+ (fmap+ swapx ((Q [ 5]|| + [ A ] P))) 

Proof: 

=S[||]+ : {lu : LUniv}{c 0 c\ : Choice} (P : Process+ oo {lu} c 0 ) 

[A B : Label lu —> Bool) 

( Q : Process+ oo {lu} ci) 

~+(P[A ]|| + [ B] Q) =+ (fmap+ swapx ((Q [ 5]|| + [ A ] P))) 

=S[||]+ P A B Q = (S[||]+ PABQ ) , (S[||]+R P A B Q) 


7.6 Proof of Commutativity of the External 
Choice Operator 

The traces of the external choice (P □ Q) of processes are the external choice 
of the traces of the two components. Therefore it is easy to see that (P □ Q) 
and (Q □ P) are trace equivalent. 

However, because of the monadic setting, the return types of the left and 
right-hand side of the equation are different. Assume the return types of 
P and Q are c 0 and Ci, respectively. Then, the return type of (P □ Q) is 
(cq tbl' Ci), whereas the return type of (Q □ P ) is (ci l±l’ Cq). Therefore the 


a 
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algebraic laws hold only modulo applying an adjustment of the return types 
using the operation fmap, which applies a function to the return values. Such 
adjustments need to be made to most other algebraic laws. 

Once we have taken this into account, a proof of commutativity of is 
obtained by exchanging the external/internal/termination choices of the left 
and right process. Since inji refers to choices in the first and inj 2 to choices 
in the second process, it is obtained by swapping inji and inj 2 . We give here 
the main case referring to Process+ (swaptfcl is the function swapping the two 
sides of a disjoint union). This proof is by induction in the two processes, 
which in Agda turns into a recursive proof: 

SD+ : {lu : LUniv}{c 0 C\ : Choice} (P : Process+ oo { lu } c 0 ) 

(Q : Process+ oo {lu} c\) 

-> (P D+P Q) C+ (fmap+ swapl±) (Q D+P P)) 

Sn+ P Q .[] .nothing empty = empty 

Sn+ P Q .(Lab Q x :: l) m (extc l .m (inji x) Xi) = extc l m (inj 2 x) 
(lemFmapoo inji swapl±) (PE Q x) l m xi) 

SQ+ P Q .(Lab P y :: /) m (extc l .m (inj 2 y) X\ ) = extc l m (inji y ) 
(lemFmapoo inj 2 swapl±l (PE P y) l m x\) 

SQ+ P Q l m (intc .1 .m (inji x) xi) = intc l m (inj 2 x) 

(SD+oo P (PI Q x) l m X\ ) 

Sn+ P Q l m (intc ./ .m (inj 2 y) ay) = intc l m (inji y) 

(SDoo+ (PI P y) Q l m X\ ) 

SD+ P Q .[] .(just (inj 2 (PT Q x))) (terc (inji x)) = terc (inj 2 x) 

SD+ P Q ■[] .(just (inji (PT P y))) (terc (inj 2 y)) = terc (inji y) 


Theorem 7.6.1 (Agda Theorem) 

=□+ : {lu : LUniv}{c 0 ci : Choice} 

(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} ci) 

-> (P D+F Q ) =+ (fmap+ swapl±) (Q D+F P)) 

Proof: 

= □+ : {lu : LUniv}{c 0 ci : Choice} (P : Process+ oo {lu} c 0 ) 
(Q : Process+ oo {lu} ci) 

-F {P n+F Q) =+ (fmap+ swapl±l (Q D+F P)) 

=□+ P Q = Sn+ P Q , SD+R P Q 


O 
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7.7 Proof of Associativity of the Interleaving 
Operator 

Traces of the interleaving combination ((P |j| Q) ||| Z) will appear as inter¬ 
leavings of traces of the three component, and therefore it is easy to see that 
(( P HI Q ) HI Z) and ( P ||| ( Q ||| Z)) are trace equivalent. 

However, as before, the return types of the left and right hand side of 
an equation are different. Assume the return types of P, Q and Z are Co, 

Ci and C 2 respectively. Then for instance the return type of ((P ||| Q ) ||| Z) is 
((eg x’ ci) x’ c 2 ) whereas the return type of (P ||| ( Q ||| Z)) is (c 0 x' (ci x’ c 2 )). 

Therefore the algebraic laws hold only modulo applying an adjustment 
of the return types using the operation fmap, which applies a function to the 
return types. 

Once we have taken this into account, a proof of associativity of _|||_ is 
obtained by exchanging the bracket between external/internal/termination 
choices, which means exchange the bracket between inji inji x, inji inj 2 x 
and i n j 2 x. Here inji inji prefers to choices in the first, inji i nj 2 x to choices 
in the second process andinj 2 x to choices in the third process. 

We give here the main case referring to Process-|- (swapx swaps the 
bracket sides of a product): 

Ass1 11H- : {lu : LUniv}{c 0 Ci c 2 : Choice} ( P : Process-)- oo { lu } c 0 ) 

( Q : Process-P oo {lu} ci) 

( Z : Process-P oo {lu} c 2 ) 

—> ((H 1 11 —f—p Q ) 11 1 —(—P Z) fl-p fmap+ Assx (_P 1 11-P-P (Q |||-H- Z )) 

Ass111-P P Q Z .[] .nothing empty = empty 
Ass111-P P Q Z .(Lab P x :: l) m (extc l .m (inji x) X\) 

= extc l m (inji (inji x)) (Ass| | |oo-PP (PE P x) Q Z l m x\) 

Ass|||+ P Q Z .(Lab Q x :: /) m (extc l .m (inj 2 (inji x)) Xi) 

= extc l m (inji (inj 2 x)) ( Ass| 11-Poo-P P (PE Q x) Z l m x\) 

Ass111-P P Q Z .(Lab Z y :: /) m (extc l .m (inj 2 (inj 2 y )) sq) 

= extc l m (inj 2 y) (Ass|||-PPoo P Q (PE Z y) l m x\ ) 

Ass111-P P Q Z l m (intc .1 .m (inji x) xi) 

= intc l m (inji (inji x)) (Ass|||oo-PP (PI P x) Q Z l m iq) 

Ass111-P P Q Z l m (intc .1 .m (inj 2 (inji x)) x\) 

= intc l m (inji (inj 2 x )) (Ass|||-poo+ P (PI Q x) Z l m x\) 

Ass111-P P Q Z l m (intc .1 .m (inj 2 (inj 2 y)) xi) 

= intc l m (inj 2 y) (Ass|||-PPoo P Q (PI Z y) l m x x ) 

Ass|||+ P Q Z .[] .(just ((PT P x „ PT Q Xl ) „ PT Z x 2 )) 

(terc (x„ (xi „ x 2 ))) = terc ((x „ xi) „ x 2 ) 

CP 
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Theorem 7.7.1 (Agda Theorem) 

= |||+ : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process+ oo {lu} cq) 

(Q : Process+ oo {lu} c\) 

(Z : Process+ oo {lu} c 2 ) 

—^ ((-f* Hl+P Q) |||++ Z) =+ (fmap+ Assx [P |||++ ( Q |||++ Z ))) 


Proof: 

= |||+ P Q Z = Ass||j+ P Q Z , Ass111+R P Q Z 


7.8 Proof of Associativity of the External 
Choice Operator 

The traces of the external choice ((P □ Q) □ Z) of processes are the external 
choice of the traces of the three components. Therefore it is easy to see that 
((P □ Q) □ Z) and (P (□ Q □ Z)) are trace equivalent. 

As before the return types need to be adjusted Assume the return types 
of P, Q and Z are c 0 , C\ and c 2 , respectively. Then, the return type of 
((P □ £?)□ Z) is ((c 0 l±)' ci)l±l’c 2 ), whereas the return type of (P □ (Q □ Z)) 
is (co W’ (ci l±l' c 2 )). Therefore the algebraic laws hold only modulo applying 
an adjustment of the return types using the operation fmap, which applies a 
function to the return values. 

Once we have taken this into account, a proof of associativity of is 
obtained by exchanging the bracket between external/internal/termination 
choices, which means exchange the bracket between inji inji x, inji inj 2 
x and inj 2 x. Here inji inji x refers to choices in the first, inji inj 2 x to 
choices in the second process and inj 2 x to choices in the third process. We 
give here the main case referring to Process+ (Asst+Jr is the function exchange 
the brackets of a disjoint union). This proof is by induction in the three 
processes, which in Agda turns into a recursive proof: 

AD+ : {lu : LUniv}{c 0 ci c 2 : Choice} (P : Process+ oo {lu} cq) 

( Q : Process+ oo {lu} c\) 

( Z : Process+ oo {lu} c 2 ) 

-+ ((P □++ Q) □++ Z) C+ fmap+ AssWr (P □++ (Q □++ Z )) 

AD+ P Q Z .[] .nothing empty = empty 
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AD+ P Q Z .(Lab P x :: l ) m (extc l .m (inji x) Xi) = 
let 

x ’: Troo l m (fmapoo Assl±lr (fmapoo injx (PE P a;))) 

x’ = X\ 

x\ ’: Troo l m (fmapoo (AssWr o i nji ) ((PE P x))) 

X\ ’ = lemFmapoo injx AssWr (PE P x) l m x’ 

x 2 ’: Troo l m (fmapoo injx (fmapoo injx (PE P a;))) 
x 2 ’ = lemFmapooR injx injx (PE P x) l m x\’ 

in extc l m (injx (injx x)) x 2 ’ 

AD+ P Q Z .(Lab Q x :: /) m (extc l .m (inj 2 (injx %)) ^ 1 ) = 
let 

a;x” : Troo l m (fmapoo AssWr 

(fmapoo inj 2 (fmapoo injx (PE Q x)))) 

Xi ” = Xi 


a;x ’: Troo l m (fmapoo (AssWr o i nj 2 ) (fmapoo injx (PE Q x))) 
x\ ’ = lemFmapoo inj 2 AssWr (fmapoo injx (PE Q x)) l m x\” 

x 2 ’: Troo l m (fmapoo (AssWr o inj 2 o injx) (PE Q x)) 
x 2 ’ = lemFmapoo injx (Assl+lr o inj 2 ) (PE Q x) l m X\’ 

X 3 ’: Troo l m (fmapoo injx (fmapoo inj 2 (PE Q a:))) 

X 3 ’ = lemFmapooR inj 2 injx (PE Q x) l m x 2 ’ 
in extc l m (injx (inj 2 x)) x 3 ’ 

AD+ P Q Z .(Lab Z y :: /) m (extc l .m (inj 2 (inj 2 y )) a;x) = 
extc l m (inj 2 y) (lemFmapoo inj 2 (AssWr o inj 2 ) (PE Z y) 
l m (lemFmapoo inj 2 AssLtJr (fmapoo inj 2 (PE Z y)) l m a;x)) 

AD+ P Q Z l m (intc .1 .m (injx a;) a^x) = 

intc l m (injx (inji ^)) (ADoo+F (PI P x) Q Z l m x\) 

AD+ P Q Z l m (intc .1 .m (inj 2 (injx %)) ^ 1 ) = 

intc l m (injx (inj 2 ^)) (AD+oo+ P (PI Q x) Z l m a:i) 

AD+ P Q Z l m (intc .1 .m (inj 2 (inj 2 y)) x\) = 

intc l m (inj 2 y) (AD+Foo P Q (PI Z y) l m x\) 

AD+ P Q Z .[] .(just (injx (injx (PT P x))))( terc (injx x)) = 
terc (injx (injx %)) 

AD+ P Q Z .[] .(just (injx (inj 2 (PT Q x)))) 
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(terc (inj 2 (inji x ))) = terc (inji (inj 2 x )) 

AD+ P Q Z .[] .(just (inj 2 (PT Z y ))) (terc (inj 2 (inj 2 y ))) = 
terc (inj 2 y) 


Theorem 7.8.1 (Agda Theorem) 

=Ad + : {lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process+ oo {lu} Co) 

(Q : Process+ oo {lu} ci) 

( Z : Process+ oo {lu} c 2 ) 

—> ((P d-H- Q ) n+f Z) =+ fmap+ AssWr (P D+7 ( Q d-H - Z )) 

Proof: 

=AD+ P Q Z = (AD+ P Q Z) , AD+r P Q Z 


7.9 Proof of Law for Renaming Operator 

We show that if we rename the labels in the process terminate, we obtain an 
equivalent process: 

unitRenameLaw : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet Co) 

—>■ (A : Label lu —> Label lu) 

—> (P : Process i {lu} c 0 ) 

—> Rename A (terminate a ) d (terminate a) 
unitRenameLaw aAPlmx=x 


unitRenameLawr : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—> (A : Label lu —> Label lu) 

—> (P : Process i {lu} Co) 

—)■ (terminate a) d Rename A (terminate a ) 
unitRenameLawr aAPlmx=x 


Theorem 7.9.1 (Agda Theorem) 

=unitRename : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—> (A : Label lu —¥ Label lu) 
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—> (P : Process i {lu} Co) 

—> Rename A (terminate a) = (terminate a) 


Proof: 

=unitRename a A P = (unitRenameLaw a A P) , (unitRenameLawr a A P) 


7.10 Proof of Laws for the Hiding Operator 

The hiding operator replace chosen external transitions by internal one in 
order to hide them from other process. We show that hiding doesn’t affect 
the process terminate: 

unitHideLaw : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 

—> (A : Label lu —> Bool) 

—> (P : Process i {lu} c 0 ) 

—>■ Hide A (terminate a) C (terminate a) 
unitHideLaw {*} {c 0 } a A P l m q = q 

unitHideLawr : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet Co) 

—y (A : Label lu —> Bool) 

—> (P : Process i {lu} c 0 ) 

—>• (terminate a) C Hide A (terminate a) 
unitHideLawr {z} {c 0 } aAPlmq=q 

Theorem 7.10.1 (Agda Theorem) 

=unitHide : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet cq) 

—> (A : Label lu —> Bool) 

—> (P : Process i {lu} c 0 ) 

—> Hide A (terminate a) = (terminate a) 


Proof: 

=unitHide a A P = (unitHideLaw a A P) , (unitHideLawr a A P) 
Similarly we show that hiding of STOP gives the same process: 
stopHideLaw : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
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—>■ ( A : Label lu — » Bool) 

—> (P : Process i {lu} c 0 ) 

-)• Hide A (STOP c 0 ) C ((STOP c 0 )) 
stopHideLaw {«} {c 0 } a A (terminate x) .[] .nothing (tnode empty) 

= tnode empty 

stopHideLaw {*} {c 0 } a A (terminate xi) .(efq _ :: /) m 

(tnode (extc l .m 0 ^)) 
stopHideLaw {*} {c 0 } a A (terminate x) l m 

(tnode (intc .1 .m 0 a*)) 

stopHideLaw {«} {co} a A (terminate xi) .[] .(just (efq x)) 

(tnode (terc x)) = tnode (terc x) 
stopHideLaw {z} {c 0 } a A (node x) .[] .nothing (tnode empty) 

= tnode empty 

stopHideLaw {z} {c 0 } a A (node x\) .(efq _ l) m 

(tnode (extc l .m 0 ^)) 
stopHideLaw {*} {c 0 } a A (node x) l m (tnode (intc .1 .m 0 ^)) 
stopHideLaw {*} {c 0 } a A (node xi) .[] .(just (efq x)) 

(tnode (terc x)) = tnode (terc x) 


Theorem 7.10.2 (Agda Theorem) 

=stopHide : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet co) 
—> {A : Label lu —> Bool) 

—>■ (P : Process i {lu} c 0 ) 

Hide A (STOP c 0 ) = (STOP c 0 ) 


Proof: 

=stopHide a A P = (stopHideLaw a A P) , (stopHideLawr a A P) 


7.11 Proof of Termination and Unit for In¬ 
terleaving Operator 

We will show that terminate is the unit for the interleaving operator. A special 
case is that terminate interleaved with itself is terminate (modulo renaming 
of the result): 

TerlntLaw : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 ) (b : ChoiceSet c ,\) 
— ± {lu} (terminate a ||| terminate b) (terminate ((a,, b ))) 
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TerlntLaw {hi}{co} {ci} a P l m q = q 


TerlntLawr : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 ) (b : ChoiceSet ci) 
—> _C_ {lu} (terminate ((a,, b ))) (terminate a ||| terminate b ) 
TerlntLawr {lu} {c 0 } {ci} a P l m q = q 


Theorem 7.11.1 (Agda Theorem) 

=Terlnt+ : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) (b : ChoiceSet ci) 
—)• _=_ {lu} (terminate a ||| terminate b) (terminate ((a ,, b))) 


Proof: 

=Terlnt+ a b = TerlntLaw a b , TerlntLawr a b 

The other law states that SKIP is unit of interleaving operator (i.e. 
SKIP HI P = P). We can prove this property as follows: 

unilntLaw : {lu : LUniv}{c 0 : Choice} ( a : ChoiceSet c 0 ) 

—> ( P : Process oo {lu} c 0 ) 

—* (terminate a ||| P ) C fmap ((_,,_ a)) P 
unilntLaw {cq} a P l m q = q 


unilntLawr : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—>■ (P : Process oo {lu} Co) 

—>■ fmap ((_,,_ a )) P C (terminate a ||| P) 
unilntLawr {c 0 } a P l m q = q 


Theorem 7.11.2 (Agda Theorem) 

=unilnt : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
— > (P : Process oo {lu} cq) 

—> (terminate a ||| P) = fmap ((_,,_ a)) P 


Proof: 

=unilnt a P = (unilntLaw a P ) , (unilntLawr a P ) 
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7.12 Proof of the Law of the Parallel Oper¬ 
ator combined with terminate 

We show that if the parallel composition of the process terminate with itself 
is modulo renaming the process terminate: 

ter[-||-] : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet Co) 

(b : ChoiceSet ci) ( A B : Label lu —> Bool) 

—>- (terminate a [ A ]||[ B ] terminate b ) □ 
fmap (X x —?• a ,, b) (terminate ((a ,, b))) 
ter[-||-] {c 0 } aPABlmq=q 


ter[-||-]r : {lu : LUniv}{c 0 c\ : Choice} ( a : ChoiceSet c 0 ) 
(b : ChoiceSet ci) {A B : Label lu — > Bool) 

—>• fmap (X x —> a „ b) (terminate ((a ,, b))) jZ 
(terminate a [ A ]||[ B ] terminate b) 
ter[-||-]r aPABlmq=q 


Theorem 7.12.1 (Agda Theorem) 

=ter[-||-] : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) 
( b : ChoiceSet ci) ( A B : Label lu —> Bool) 

—> (terminate a [ A ]||[ B ] terminate b) 

= fmap (X x —> a „ b) (terminate ((a „ b))) 


Proof: 

=ter[-||-] a b A B = (ter[-11-] a b A B) , (ter[-||-]r a b A B) 

We have in this chapter dehned the trace semantics of CSP in CSP-Agda, 
and adjusted it to the monadic setting. Since in CSP-Agda processes are 
monadic, we need to record, in case a process has terminated after following 
a trace, the return value of this process. We implemented this semantic, to¬ 
gether with the corresponding refinement and equality relation, formally in 
CSP-Agda. We demonstrate the proof capabilities of CSP-Agda, by proving 
in CSP-Agda selected algebraic laws of CSP based on the trace semantics. 
The examples covered in this chapter are the laws of refinement, commuta¬ 
tivity of interleaving, parallel, and external choice, the monad laws for the 
monadic extension of CSP, associativity of interleaving and external choice, 
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and laws for renaming, hiding, interleaving and parallel. All proofs and def¬ 
initions have been typed checked in Agda. 

Proofs of of algebraic laws using trace semantics were carried out rela¬ 
tively smoothly. When introducing stable failures and FDI-semantics in the 
following this will not continue any more - direct proofs for these semantics 
will be quite difficult. However, we will overcome this problem by introduc¬ 
ing in Chapter 10 strong bisimilarity and DRW bisimilarity. We will show 
there that these relations imply stable failure and FD1 equivalence. Proofs 
using bisimilarity and DRW-bisimilarity will be relatively easy, and we will 
be able to show algebraic properties for stable failures and FD1 semantics by 
first showing them using DRW bisimilarity or strong bisimilarity and then 
transferring them to stable failures and FDI semantics. 
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Chapter 



6 

°Stable Failures Semantics 


Trace semantics refers only to the visible (or observable) traces. It doesn’t 
distinguish between external and internal choice. In particular, it does not 
tell what a process can refuse to do. 

Take as an example the processes 

(a —► P x ) □ (b — ► P 2 ) 
and 

(a —► Pi) □ (b —► P 2 ) 

The first one allows an external choice a and then continues with P\ , or an 
external choice b and continues with P 2 . The second one makes an internal 
choice to a —y Pi or b —y P 2 . In the first case it allows only external 
choice a followed by Pi, and in the second case it allows only external choice 
b followed by P 2 . The traces of both processes are the same. But the second 
one can internally switch to a — > Pi or b — y P 2 , and in the first case 
refuse b, and in the second case refuse a. Stable failures semantics will 
distinguish between the two processes: The second process has two stable 
states (which means here it is a sate without r-transitions) a —y P\ and 
b —y P 2 , which can be reached by r-transitions, and which refuse b and a, 
respectively. The process (a — y P\) □ (b —y P 2 ) doesn’t have states with 
the same properties 1 . 

The stable failures model has been developed to take care of this problem 
and to distinguish between external and internal choice. The stable failures 
model refers to a refusal set. A refusal set is a set X of external choices a 
process does not accept before following any other external choice. Stable 
failures in CSP are defined as pairs (t,X), where t E trace(P) and A is a 
refusal of a process P' that one can obtain by following trace t, such that 
P' is stable. Roscoe and Schneider differ in their notion of stability, for 

1 See Sect. 8.5 of Roscoe [1998] for the precise history of the stable failures model. 
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Schneider it means it has no r-transitions, for Roscoe it means it has neither 
t- nor / -transitions. We will later work mainly with Roscoe stability and 
use Schneider stability only as an auxiliary notion in proofs. Note that t 
records only the external choices of a sequence of transitions, there can be 
arbitrarily many r-transitions involved. Note as well that there can be more 
than one process P' one can reach with the same trace t. 

Refinement between two process in the stable failures semantics holds 
whenever a reversed subset relation holds between their sets of traces and 
stable failures (written as failures(P)): 

P jZ Q iff traces(Q) C traces(P) A failures(Q) C failures(P) 

In this section, we represent the stable failures model in CSP-Agda. We 
note here already that direct proofs in CSP-Agda of algebraic properties with 
respect to stable failures equivalence are rather difficult. We will however 
prove those laws indirectly in Chapter 10 by proving the laws with respect to 
DRW-bisimilarity, and showing that this implies stable failures equivalence. 

8.1 Traces with Next process 

We first introduce a variant of the definition of a trace, in which we record 
as well the process we obtain after following that trace. More precisely, we 
define a predicate (TrP l m P), which holds, if a process P after following a 
trace giving by a lists of labels l, reaches a possible next process m. So that P 
has trace l means that there is some m such that (TrP l m P ) holds. Since we 
have terminated processes, it might be that after following this trace we have 
terminated, therefore m can as well be a return value for the process. Com¬ 
bining the two possibilities, m is an element of Process oo c l±l ChoiceSet c. 
We define as well traces (TrP+ l m P ) and (TrPoo l m P ) for processes 
in Process-p and Processoo, respectively, similarly as we defined them in the 
traces model in Sect. 7. For elements of Process-p, the traces are the empty 
trace empty, external choice extc, internal choice intc, and traces resulting 
from a termination event terc. In the case of terc, the process has terminated, 
so m is inj 2 (PT P x). The definition of the extended traces in CSP-Agda is 
as follows: 

data TrP-P {lu : LUniv}{c : Choice } : (l : List (Label lu)) 

— >• Process oo {lu} c l±l ChoiceSet c 
—> (P : Process-P oo {lu} c ) —> Set where 
empty : {P : Process-P oo { lu} c} — > TrP+ {lu} [] (inq (node P)) P 
extc : {P : Process-P oo {lu} c} 
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—>■ (l : List (Label lu)) 

—y (tick : Process oo {lu} c l±l ChoiceSet c) 

—* (x : ChoiceSet (E P )) 

—* TrPoo {lu} l tick (PE P x) 

TrP+ {lu} (Lab P x : : l) tick P 
intc : {P : Process+ oo {lu} c} 

—> ( l : List (Label lu)) 

—> ( tick : Process oo {lu} c l±l ChoiceSet c) 

—>• (x : ChoiceSet (I P)) 

—» TrPoo {lu} l tick (PI P x) 

—» TrP+ {lu} l tick P 
terc : {P : Process+ oo {lu} c} 

—> ( x : ChoiceSet (T P)) 

TrP+ {lu} [] (inj 2 (PT P x)) P 


For elements of (Process oo c), traces are the terminated trace ter for the 
terminated process, the empty trace empty, and traces (tnode tr) originating 
from a trace of a (Process+ oo c): 


data TrP {lu : LUniv}{c : Choice } : (/ : List (Label lu)) 

— )■ Process oo {lu} c l±l ChoiceSet c 
—> (P : Process oo {lu} c) —> Set where 
ter : ( x : ChoiceSet c) TrP {lu} [] (inj 2 x) (terminate x) 
empty : ( x : ChoiceSet c) —>• TrP {lu} [] (inji (terminate x)) (terminate x) 
tnode : {/: List (Label lu)} 

—> {x : Process oo {lu} c l±l ChoiceSet c} 

—> {P : Process+ oo {lu} c} 

—> TrP+ {lu} {c} l x P 
—)■ TrP {lu} l x (node P) 


Finally, the traces for Processoo are the traces of the underlying Process: 


TrPoo : {lu : LUniv}{c : Choice} ( l : List (Label lu)) 
(tick : Process oo {lu} c l±l ChoiceSet c) 

(P : Processoo oo {lu}c) —> Set 
TrPoo {lu} {c} l tick P = TrP {lu} l tick (forcep P) 
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8.2 Stable Process 

There are two different definitions, when a process is stable. According to 
Schneider [1999], it means that it cannot make any internal transitions, in 
CSP written as P j. = -> ( P —»). According to Roscoe [1998], in addi¬ 
tion, no /-transitions are allowed. We define a parametrised version, which 
depends on whether we choose the Roscoe version or not. We first define 
stability according to Schneider: 

stableSchoo : {lu : LUniv}{c : Choice}(P : Processoo oo { lu } c) —> Set 
stableSchoo P = stableSch (forcep P) 

stableSch+ : {lu : LUniv}{c : Choice}(P : Process-)- oo { lu } c) —>■ Set 
stableSch-)- P = -> (ChoiceSet (I P)) 

stableSch : {lu : LUniv}{c : Choice}(F : Process oo {lu} c ) —> Set 
stableSch (terminate x) = T 
stableSch (node P) = stableSch+ P 

Note that not having an internal choice is defined as there not being 
any element in the internal choiceset. This is the correct notion since for 
the semantics all what is relevant is which external, internal choices and 
termination events a process can allow or perform; how they are indexed 
is a mere implementation detail. When defining operators of CSP, we used 
pattern matching on these choice sets. But equivalent choice sets should 
result in equivalent choice sets of the resulting processes. 

Now we define a condition expressing that in case of Roscoe, no tick is 
allowed: 

noTicklfRoscoe+ : {lu : LUniv}{c : Choice} (isRoscoe : Bool) 

(P : Process-1- oo {lu} c ) —» Set 
noTicklfRoscoe-|- false P = T 
noTicklfRoscoe+ true P = -> (ChoiceSet (T P)) 

noTicklfRoscoe : {lu : LUniv}{c : Choice}(zsi?oscoe : Bool) 

(P : Process oo {lu} c) 

—> Set 

noTicklfRoscoe false (terminate x) = T 

noTicklfRoscoe true (terminate x) = T 

noTicklfRoscoe isRoscoe (node Q ) = noTicklfRoscoe-!- isRoscoe Q 
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Finally we give the parametrised definition of stable processes 

stableParametrizedoo : {lu : LUniv}{c : Choice}(isi?oscoe : Bool) 

(P : Processoo oo {lu} c ) —» Set 
stableParametrizedoo b P = stableParametrized b (forcep P) 


stableParametrized+ : {lu : LUniv}{c : Choice}(isi?oscoe : Bool) 

( P : Process+ oo {lu} c) — y Set 
stableParametrized+ isRoscoe P = stableSch+ P x 

noTicklfRoscoe+ isRoscoe P 

stableParametrized : {lu : LUniv}{c : Choice}(zsi?oscoe : Bool) 

(P : Process oo {lu} c ) —*■ Set 

stableParametrized {c} isRoscoe (terminate x) = (T’ isRoscoe) 

stableParametrized {c} b (node P) = stableParametrized+ b P 

In this thesis most of the time we work with the Roscoe version, Schneider 
stability will be used as an auxiliary notion in proofs. Roscoe stability is 
defined as follows: 

stableoo : {lu : LUniv}{c : Choice}(F : Processoo oo {lu} c) Set 
stableoo P = stableParametrizedoo true P 

stable+ : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c ) —>• Set 
stable+ P = stableParametrized+ true P 


stable : {lu : LUniv}{c : Choice}(P : Process oo {lu} c ) — > Set 
stable P = stableParametrized true P 

Since in many cases we need just that there are no internal choices in case 
of stability, we define a function extracting this information: 

stabToNolnternal+ : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c ) 

( stab : stable+ P) 

—> -i (ChoiceSet (I P)) 

stabToNolnternal+ P ( noInterCh ,, notermEv ) intChoice = noInterCh intChoice 

Furthermore, we want to combine the stability and notick properties to 
obtain parametrised stability: 
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stabSchNoTicklfRos2StablePar : {lu : LUniv}{c : Choice}(.P : Process oo { lu } c) 

[isRoscoe : Bool) 

(stabSch : stableSch P) 

( notick : noTicklfRoscoe isRoscoe P) 

—>• stableParametrized isRoscoe P 

stabSchNoTicklfRos2StablePar (terminate x) false stabSch notick () 
stabSchNoTicklfRos2StablePar (terminate x) true stabSch () 
stabSchNoTicklfRos2StablePar (node x) false stabSch notick = stabSch,, _ 
stabSchNoTicklfRos2StablePar (node x ) true stabSch notick = stabSch,, notick 


8.3 Refusal Sets 

According to Schneider [1999] (Sect. 6.1), a set X is a refusal set for a process 
P, if after following an empty trace, i.e. after finitely many r-transitions, we 
obtain a stable process, which does not allow any external choice transition 
in X. In CSP it is defined as follows (P { means P is Schneider stable, i.e. P 
doesn’t have any r-transitions): 

P ref A = 3 P' • (P 4 P') A (P' 1) A (V a G A • (P’ -4)) 

In the book by Roscoe [1998], this definition is modified: a process can 
refuse external choices only if it has no termination event, whereas in the 
book by Schneider [1999], a process which has termination events still can 
reject external choices. 

For stable states, we have in case of Roscoe no termination events, so 
for stable failures the definition by Schneider does not need to be modified. 
However, in the failures/divergences/infinite traces model, non-stable failures 
are considered, therefore we parameterise the definition of refusal sets as for 
stability over whether we use the version of Roscoe or Schneider. If the 
parameter isRoscoe is true, for a refusal set no termination events are allowed, 
as in Roscoe, otherwise they are allowed. 

We first define the notion of a process having no external choices in a 
given set of labels X : 

NoExtChlnX : {lu : LUniv}{c : Choice}(Q : Process-1- oo c) 

(X: (Label lu) —y Bool) 

—y Set 

NoExtChlnX Q X = (e : ChoiceSet (E Q )) — > -> (T’(X (Lab Q e))) 
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and that process doesn’t allow termination events, if isRoscoe is true: 

NoTicksIflsRoscoe : {lu : LUniv}{c : Choice}(Q : Process+ oo { lu } c) 

( isRoscoe : Bool) 

—^ Set 

NoTicksIflsRoscoe Q isRoscoe = (ticklslncl : T’ isRoscoe) 

—> -i (ChoiceSet (T Q )) 

Now we define what it means for a process to directly refuse all external 
events with labels in X: 

data DRefusal+ {lu : LUniv}{c : Choice}(Q : Process+ oo {lu} c ) 

( isRoscoe : Bool) 

{X : (Label lu) —> Bool) : Set where 
drefusal : ( noextChlnX : NoExtChlnX Q X) 

{noTerm : NoTicksIflsRoscoe Q isRoscoe ) 

—> DRefusal+ {lu}{c} Q isRoscoe X 

DRefusal : {lu : LUniv}{c : Choice}((J : Process oo {lu} c) 

( isRoscoe : Bool) 

( X : (Label lu) —>• Bool) — > Set 
DRefusal (terminate x) isRoscoe X = -> (T' isRoscoe) 

DRefusal (node x) isRoscoe X = DRefusal+ {lu}{c} x isRoscoe X 


D Refusal oo : {lu : LUniv}{c : Choice}(Q : Processoo oo {lu} c) 

{isRoscoe : Bool) 

[X : (Label lu) —> Bool) —s- Set 

D Refusal oo {lu}{c} Q isRoscoe X = DRefusal {lu}{c} (forcep Q) isRoscoe X 

Now we obtain the definition of refusal set of a process: it is the union 
of direct refusals of stable processes one can reach from a process by r- 
transitions only: 

data refusal {lu : LUniv}{c : Choice}(P : Process oo {lu} c)(isRoscoe : Bool) 
{X : (Label lu) —> Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 

( tv. TrP {lu}{c} [] (inji Q) P) 

( stab : stable Q) 

( drefuse : DRefusal Q isRoscoe X) 

—> refusal P isRoscoe X 
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data refusal-1- {lu : LUniv}{c : Choice}(F : Process+ oo {lu} c)(isRoscoe : Bool) 
(X : (Label lu) — » Bool) : Set where 
refusalp : (Q : Process oo {lu} c ) 

(tr : TrP+ { lu}{c } [] (inp Q) P) 

(stab : stable Q ) 

( drefuse : DRefusal Q isRoscoe X) 

—>■ refusals- P isRoscoe X 


data refusaloo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c)(isRoscoe : Bool) 
(X : (Label lu) —> Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 

(tr : TrPoo {lu}{c} [] (inji Q) P) 

(stab : stable Q) 

(drefuse : DRefusal Q isRoscoe X) 

—>• refusaloo P isRoscoe X 


8.4 Stable Failures 

The stable failures of a process P are list of labels l together with sets of 
labels X , such that after following a trace with labels l the process can reach 
a stable process, which refuses all events in X. This is written in CSP as 

3 P" . P" A P" | A P" ref X 

Here P" ref X expresses that P" refuses all external events in X , even after 
making r-transitions. Since a stable process cannot make any r-transitions, 
for a stable process P we can define 

P ref X AA V a e X • (P' -%) 

So P refuses X after trace tr can be rewritten as 

3 P' • A P' | A V a G X • (P 1 -4) 

The definition in CSP-Agda is as follows: 

data stableFailure+ {lu : LUniv}{c : Choice}(P : Process+ oc {lu} c) 
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(l : List (Label lu )) 

(isRoscoe : Bool) 

{X : (Label lu) —» Bool) : Set where 
stableFp : (Q : Process oo {lu} c) 

(tr : TrP+ {lu}{c} l (inji Q) P) 

(stab : stable Q) 

(drefuse : DRefusal Q isRoscoe X) 
—> stableFailure+ P l isRoscoe X 


8.5 Refinement Relations 


We define now two refinement relations: _Csfi_ expresses that the stable 
failures of the second process are stable failures of the first one (and we use 
the version of Roscoe here), and _Csf_ is the conjunction of refinement for 
traces and of _CsfL_. We first define _Csfx_: 

_Csfx_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 

(Q : Process oo {lu} c ) —> Set 

_Csfi_ {lu}{c} P Q = (/: List (Label lu)) (X : (Label lu) —> Bool) 

—>• stableFailure Q l true X 
—> stableFailure P l true X 

We define similar definitions for JZsfi+_ and between Process+ and 
_CsfxOO_ between Processoo. The definition of _|Tsf_ (with similar defi¬ 
nitions of _Csf+_ and _Csfoo_ is as as follows: 

_Csf_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(Q : Process oo {lu} c) —>• Set 
P Csf Q = (P E Q) x (P Csfi Q) 

_=sf_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(Q : Process oo {lu} c) —>• Set 
P =sf Q = (P Csf Q) x (Q Csf P) 
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8.6 Proofs for Stable Failures Semantics 

It turns out that direct proofs using Stable Failures Semantics are very com¬ 
plicated except for simple properties. The reason is that in order to prove 
properties on needs to introduce lemma referring to any subprocesses ob¬ 
tained when evolving the processes. This is very cumbersome. It is much 
easier to carry out those proofs indirectly using forms of bisimilarity: we first 
show that processes are bisimilar and that the form of bisimilarity chosen im¬ 
plies equivalence with respect to stable failures semantics. Such proofs can 
be found in Chapter 9. 


a 


o 



o 


o 


^Chapter Q°-, 

o 

Failures Divergences 

^-° 

Infinite Traces Semantics 

9.1 Motivation 

The stable failures model as discussed in Sect. 8 does not analyse processes 
which can possibly diverge. Here a process is divergent, if it allows an infinite 
sequence of r-transitions. The stable failures model ignores any divergent be¬ 
haviour. For instance, if we consider the process Q, which has a r-transition 
to itself and a r transition to STOP. Process Q has the same traces as the 
STOP process, namely only the empty one. The only stable failure process 
reachable from Q is the STOP process, following an empty place, which is 
the same as the stable failures reachable from the STOP process. So Q and 
STOP are stable failure equivalent, but Q can diverge whereas the STOP 
process cannot. 

Therefore the Failures/Divergences/Infinite Traces model (FDI) of CSP 
has been developed to remedy this problem, where additional behaviours are 
introduced alongside information about failures. In this approach, we can 
identify a process P with the failures, divergences, and infinite traces that 
may be observed. Since this approach takes account of divergent, infinite 
behaviour and as well stable failures, it is more discriminating than the stable 
failures semantics. 

The first component, referred to in this model, is the failures set, con¬ 
tains both stable failures and unstable failures. Unstable failures arise from 
divergent processes, which, because of their divergence, refuse everything. 

The second component is divergence , which consists of all traces which 
lead to a divergent process. 

The third component, infinite traces, is the set of all infinite sequences of 
events from S, a process can perform. 

We note here already that direct proofs in CSP-Agda of algebraic prop¬ 
erties with respect to FDI equivalence are rather difficult. We will however 
prove those laws indirectly in Chapter 10 by proving the laws with respect 
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to DRW-bisimilarity, and showing that this implies FDI equivalence. 


9.2 Failures 

As discussed in detail in Schneider [1999], Sect. 8.1, in the failures/divergence/ 
infinite traces semantics there are two kind of failures: stable failures, as de¬ 
fined before, and unstable failures, arising from a divergent process. The 
union of those two sets is defined in CSP-Agda as follows: 

data failure {lu : LUniv}{c : Choice}(P : Process oo { lu } c) 

(l : List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) —> Bool) : Set where 
stableFail : stableFailure P l isRoscoe X 
—> failure P l isRoscoe X 
divergentFailure : TraceDivergent oo c l P 
—y failure P l isRoscoe X 

Corresponding notions failureoo for Processoo and failure+ for Process-p 
are defined similarly. 


9.3 Divergent Process 

If a process P performs internal transitions forever, it cannot reach a stable 
state. In this case, the process P is called divergent , and written in CSP as 
P t- 

There are two kinds of divergent behaviours. One is where there is a 
trace leading to a divergent state, i.e. a state where the process can only 
perform an infinite sequence of r-transitions. The other one is an infinite 
trace, in which a process can have infinitely many observable events, but 
may as well fork off into a divergent behaviour. The generalisation of both is 
that we have an infinite sequence of r-transitions starting with the process in 
question, and it is this notation which we formalise in CSP-Agda. We define 
divergent processes coinductively as follows: 

record DivergentProcessoo (* : S\ze){lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) : Set where 
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forcediv : {j : Size< i} —> DivergentProcess j {lu } c (forcep P) 


data DivergentProcess (i : Size){/u : LUniv}(c : Choice) 

: (P : Process oo {lu} c ) —>■ Set where 
div : ( P : Process+ oo c) (divP : DivergentProcess+ i c P) 

—> DivergentProcess i c (node P ) 


data DivergentProcess+ (i : Siz e){lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c ) : Set where 
div+ : ( int : ChoiceSet (I P )) 

(divP : DivergentProcessoo % c (PI P int)) 

—> DivergentProcess+ i c P 


9.4 Divergent Traces 

The traces of process considered as divergent traces, if after finite sequence 
of event a divergent state reached. In CSP tr is a divergent trace for process 
P if there exists a Q s.t. 

q a (Qt) 

We define divergent traces as follows: 

data TraceDivergent+ (i : Size){hz : LUniv}(c : Choice) 

(l : List (Label lu)) (P : Process+ oo {lu} c) : Set where 
trdiv : (Q : Process oo {lu} c)(trp : TrP+ {lu} {c} l (inji Q) P) 

(divp : DivergentProcess i c Q) 

—>■ TraceDivergent+ i cl P 


data TraceDivergent (i : Size){ht : LUniv}(c : Choice) 

(l : List (Label lu)) 

(P : Process oo {lu} c) : Set where 
trdiv : (Q : Process oo {lu} c) (trp : TrP {lu} {c} l (inji Q) P) 
(divp : DivergentProcess i c Q) 

—> TraceDivergent i cl P 
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data TraceDivergentcx) (z : Size) {lu : LUniv}(c : Choice) 

(l : List (Label lu)) 

(P : Processoo oo {lu} c ) : Set where 
trdiv : (Q : Process oo {lu} c ) ( trp-h : TrPoo {lu} {c} l (inji Q) P ) 
(divp : DivergentProcess i c Q) 

—¥ TraceDivergentoo i cl P 


9.5 Infinite Traces 

In order to introduce the notion of infinite traces, we first need the notion 
of infinite streams of labels. This definition is the coinductive form of a list, 
except that we don’t have an empty list. We repeat the definition of streams 
from Subsect. 3.2.5 in Agda: 

record Stream {i : Size} ( X: Set) : Set where 
coinductive 
field 

head : X 

tail : {] : Size< Stream {j} X 

The infinite traces for a Process+ are given in the following. This defini¬ 
tion is inductive in case of internal choices, since we allow only finitely many 
internal choices before an external choice is chosen, whereas coinductive in 
the external choices. The difference is recorded in the different types infTroo 
and infTroo’: 

data infTr+ {z : Size} {lu : LUniv}{c : Choice } 

: (l : Stream {oo} (Label lu)) 

—>■ (P : Process-1- oo {lu} c) —>■ Set where 
extc : {P : Process-|- oo {lu} c} 

—)■ ( l : Stream {oo} (Label lu)) 

—> ( x : ChoiceSet (E P)) 

—» (T' (head l ==l Lab P x)) 

—> infTroo {z} {lu}{c} (tail l) (PE P x) 

—» infTr+ {z} {lu}{c} l P 
intc : {P : Process-1- oo {lu} c} 

( l : Stream {oo} (Label lu)) 

—^ (x : ChoiceSet (I P)) 
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—» infTroo’ {z} l (PI P x) 

—* infTr+ {z} l P 

For Process, we just refer to the notion infTr+, however we don’t allow a 
termination event: 

data infTr {z : Size} {lu : LUniv}{c : Choice } : 

(l : Stream {00} (Label lu)) — >■ 

(P : Process 00 {lu} c) —>■ Set where 
tnode : : Stream {00} (Label lu)} 

—>■ {P : Process+ 00 {lu} c} 

—y infTr+ {z} {lu} {c} l P 
—> infTr {z} {lu} l (node P) 

Finally, we define the notion for Processoo. We have one notion infTroo, 
which coinductively refers to a process of smaller size. The notion infTroo’ 
keeps the size and is inductive. The def ini tion in Agda is as follows: 

record infTroo {z : Size} {lu : LUniv}{c : Choice} 

(l : Stream {00} (Label lu)) 

(P : Processoo 00 {lu} c) : Set where 
coinductive 
field 

forcetP : {j : Size< z} —> infTr {]} l (forcep P) 

infTroo’ : {z : Size} {lu : LUniv}{c : Choice} 

(l: Stream {00} (Label lu)) 

(P : Processoo 00 {lu} c) —>■ Set 
infTroo’ {z} {lu} {c} l P = infTr {z} l (forcep P) 

We note here that in Agda a mutual coinductive/inductive definition will 
be interpreted as always-eventually (v fi) rather than eventually always (/z v). 


9.6 Refinement Relations 

We define now four refinement relations: first we include the refinement 
notion of trace. This is needed, since constructively not every trace will be 
part of one of the other notions. Next we define _Cfdi 1 _, which expresses 
that the divergent traces of the second process are divergent traces of the 
first one. Then we have _Cfdi 2 ros_ expressing that the refusals of the second 
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process are refusals of the first one (and we use the version of Roscoe here). 
Then we define _Cfdi 3 _ expressing refinement with respect to infinite traces. 
Finally we define _Cfdi_ as being the conjunction of refinement for traces 
and of the previous three refinement relations. 


_jZfdh_ : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 
(Q : Process oo {lu} c ) — > Set 
Cfdi| {lu}{c} P Q = (/: List (Label lu)) 

—> TraceDivergent oo cl Q 
—>• TraceDivergent oo c l P 


_Cfdi 2 ros_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 
(Q : Process oo {lu} c) —> Set 
_Cfdi 2 ros_ {lu}{c} P Q = (/: List (Label lu)) 

(X : (Label lu) —> Bool) 

—> failure Q l true X 
—> failure P l true X 


Cfdi,3 : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 
(Q : Process oo {lu} c) —> Set 
_Cfdi 3 _ {lu}{c} P Q = (/: Stream {00} (Label lu)) 

(tr : infTr {00} l Q) 

—> infTr {00} l P 


_Cfdi_ : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c) 

(Q : Process 00 {lu} c) —>■ Set 

P Cfdi Q = (((P □ Q) x (P Cfdi 3 Q)) x ( P Cfdi 2 ros Q)) x (P Cfdi 3 Q) 

_=fdi_ : {lu : LUniv}{c 0 : Choice} — >■ (P Q : Process 00 {lu} c 0 ) —> Set 
P =fdi Q = (P Cfdi Q) x (Q jTfdi P) 
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9.7 Proofs in Failures Divergences Infinite Traces 
Semantics 

As for stable failure semantics, carrying proofs directly in the failures diver¬ 
gences and infinite traces mode is more complex than expected. For instance, 
if one wants to show commutativity of □, one needs to first investigate the 
form of processes one obtains after following a trace starting with (Q □ P ), 
and needs to show that one obtains the same process, but commuted, if one 
starts with (P □ Q). However, after an external choice these processes may 
have a different form, namely (fmapoo inj, P), which one needs to take care 
of. So one needs to introduce different lemmas for all different forms of pro¬ 
cesses one obtains. Then one needs to show that the two processes obtained 
after a trace have the same properties regarding being stable, divergent, re¬ 
fusal sets, and infinite traces. This is very tedious. Therefore, in the following 
we will present only the straightforward proof that refinement with respect 
to stable failures semantics is a partial order, which can be carried out more 
easily. 

In Chapter 10 we will then show laws regarding stable failure semantics 
in an indirect way, which is much easier: we show that divergence-respecting 
weak bisimilarity and strong bisimilarity imply equivalence with respect to 
stable failures semantics and then show that certain algebraic laws hold with 
respect to one of these two bisimilarity relations. 

We show now that the refinement relations _jZfdq_, _Cfdi 2 ros_, 

_Cfdi 3 _ and _Cfdi_ are reflexive, antisymmetric, and transitive, i.e. fulfil the 
following laws (where C is one of these relations and the corresponding 
equality relation): 

PHP 

Po C Pi A Pi C P 0 =>• P 0 = P\ 

i’ohPiAFiCP^Pok P 2 

For the first three of the above relations, the definition is given by stating 
that if the second process fulfils a certain property (e.g. that tr is a trace) 
the first process fulfils it as well. They are equivalent if refinement goes 
in both directions. This implies immediately reflexivity, antisymmetry, and 
transitivity. Furthermore, _Cfdi_ is the conjunction of Cfdi i and 

_Cfdi 2 -, and therefore (omitting similar proofs of the above properties for 
_C_ and _Tfdi 2 _) we obtain reflexivity, antisymmetry, and transitivity for 
_Cfdi_ as well: 

reflCfdii : {lu : LUniv}{c : Choice} 
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( P : Process oo { lu } c) —> P jZfdii P 
reflCfdii P l divp = divp 

antiSymCfdix : {lu : LUniv}{c 0 : Choice} 

(P Q \ Process oo {lu} Co) —> P Cfdi Q 
—> Q Cfdi P — » P =fdi Q 
antiSymCfdix P Q PQ QP = PQ ,, QP 

transCfdix : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 

(Q : Process oo {lu} c ) 

(R : Process oo {lu} c ) 

-)• P Cfdix Q Q Cfdix R ->• P Cfdix R 
transCfdix P Q R PQ QR l divp = PQ l (QR l divp ) 


reflCfdi : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) —>• P Cfdi P 
reflCfdi P = ((ref I Cl P ,, reflCfdix P) ,, reflCfdi 2 P ) ,, reflCfdi 3 P 

antiSymCfdi : {lu : LUniv}{co : Choice} 

—> (P Q : Process oo {lu} Co) —t P Cfdi Q 
— * Q Cfdi P — > P =fdi Q 
antiSymCfdi P Q PQ QP = PQ ,, QP 

transCfdi : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) 

( Q : Process oo {lu} c ) 

(R : Process oo {lu} c ) 

->• P cfdi Q Q cfdi R -> P cfdi R 
transCfdi P Q R (((PQ ,, PQfdiQ ,, PQfdi 2 ) ,, PQfdi 3 ) 

(((<?/? „ QRfdti) „ QRfdvi) „ QRfdi :i ) 

= ((( transC P Q R PQ QR 
,, transCfdix P Q R PQfdii QRfdii ) 

,, transCfdi 2 P Q R PQfdi 2 QRfdi 2 ) 

,, transCfdi 3 P Q R PQfdi 3 QRfdi 3 ) 
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Chapter 10 - 


6 

"■Bisimulation 


The notions of determining process equivalence in CSP are defined via traces, 
failures, divergences etc., and therefore not directly based on the underlying 
transition system. Other process algebras like CCS define the underlying 
meaning of processes directly by using the underlying labelled transition sys¬ 
tem ( LTS ). That approach allows to decide equivalence by deciding whether 
the corresponding LTSs are essentially the same. Several equivalences over 
LTSs for what it means to be “essentially the same” been suggested, which 
are called bisimilarities. 

As discussed in section 9.7, proofs in FDI semantics and in stable failures 
semantics turn out to be more complex than expected. Consider a proof of 
commutativity of external choice □. In a direct proof of it, one first needs to 
investigate the form of processes one obtains after following a trace starting 
with (Q □ P), and then one needs to show that one obtains the same process, 
but commuted, if one starts with (P □ Q ). However, after an external choice 
these processes have a different form, for instance (fmapoo inj ( P ), which one 
needs to take care of. Then one needs to show that the two processes obtained 
after a trace have the same properties regarding being stable, divergent, and 
refusal sets. 

In this chapter we present a more elegant way by defining strong and 
divergence-respecting weak bisimilarity (DRW). We will show algebraic prop¬ 
erties hold with respect to one of these relations and that these relations 
imply equivalence with respect to stable failure and FDI semantics. This 
way we get a proof of algebraic laws with respect to stable failure and FDI 
semantics in an indirect way. 

We will first introduce strong (Sect. 10.1) and divergence-respecting weak 
bisimilarity (Sect. 10.2) in CSP Agda, following the definitions in Roscoe 
[2010, 1998]. Then we prove reflexivity for strong (Sect. 10.3) and diver¬ 
gent respecting weak bisimilarity (Sect. 10.4), and symmetry of DRW bisim¬ 
ilarity (Sect. 10.5). In the next section 10.6, we carry out the proof, that 
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strong bisimilarity implies DRW bisimilarity in Agda. Furthermore, we prove 
strong and weak bisimilarity (and therefore as well divergence respecting 
weak bisimilarity) imply trace equivalence. Then, we prove in Sect. 10.8 the 
key lemma Lemma 2.4.6, and then obtain that bisimilarity implies stable 
failures equivalence (Sect. 10.10) and and FDI equivalence (Sect. 10.11). In 
Sect. 10.12, we prove selected algebraic laws indirectly using strong bisimi¬ 
larity: Commutativity of the external choice operator (Sect. 10.12.1), and of 
the interleaving operator (Sect. 10.12.2), and of the first and third monadic 
law (Sect. 10.13). We will discuss the problems with respect to the second 
monadic law. 


10.1 Defining Strong Bisimilarity for CSP- 
Agda 

In Sect 2.4.5 we introduced the notion of strong bisimilarity. In short, two 
processes are strongly bisimilar, if they have the same set of events, and for 
each set of events the processes we obtained are again strongly bisimilar. 
This recursive definition needs to be considered coinductive, since processes 
might proceed for ever. 

In CSP-Agda we define strong bisimilarity directly in a coinductive way 
in the same way as processes were defined in section 5.3, and obtain the 
largest bisimilarity relation. In the following we define the predicate Bisims 
expressing that two processes are bisimilar. We define as well Bisims-I- and 
Bisimsoo for processes in Process- 1 - and Processoo respectively. 

Since processes in CSP-Agda are described in a monadic way, we need 
to check for bisimilar processes that in case they have terminated or not 
terminate, the results obtained by them are equal. 

For an element of Process we get the following definition of bisimilarity: 

• Terminated processes are strongly bisimilar, iff their return values are 
the same, and we denote the proof by eqterminate. 

• The notion of bisimilarity for non-terminated processes refers to the 
corresponding notion of bisimilarity for Process-p, and the resulting 
proof will be denoted by eqnode. 

The corresponding definition for the processes for Process is as follows: 

data Bisims {i : Size}{h/ : LUniv}{c : Choice} : 

(P P’ : Process oo { lu } c) —> Set where 
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eqterminate : { a : ChoiceSet c} 

—>■ Bisims {z} (terminate a) (terminate a) 
eqnode : {Q Q ’: Process+ oo { lu } c} —>■ Bisims+ {z} Q Q’ 

—)■ Bisims {z} (node Q ) (node Q’) 

In case of Process+, we obtain that two processes are strongly bisimilar, 
iff: 


• For every external choice of the first process, we get an external choice 
for the second process, where the label for these processes are same, 
and the resulting process are bisimilar. 

• In case the first one has an internal choice, the second one has an 
internal choice as well, and the resulting two processes are bisimilar. 

• If the first process has a termination event, then the second one needs 
to have as well an termination event, and the returned values must be 
equal. 

• The reverse direction (from 2nd to first process) holds as well. 

We obtain the following definition of the bisimilarity for Process+: 

record Bisims+ {z : Size}{hz : LUniv}{c : Choice} 

(P P ’: Process+ oo {lu} c ) : Set where 

coinductive 

field 

bisim2E : (e : ChoiceSet (E P)) —> ChoiceSet (E P’) 
bisimELab : (e : ChoiceSet (E P)) 

— * Lab P e = Lab P’ (bisim2E e) 
bisimENext : (e : ChoiceSet (E P)) 

—> Bisimsoo {z} (PE P e ) (PE P’ (bisim2E e)) 
bisim2l : (inti : ChoiceSet (I P)) —> ChoiceSet (I P’) 
bisimlNext : (inti : ChoiceSet (I P)) 

—y Bisimsoo {z} (PI P inti) (PI P’ (bisim2l inti)) 
bisim2T : (t : ChoiceSet (T P)) —> ChoiceSet (T P’) 
bisim2TEq : (t : ChoiceSet (T P)) 

PT Pt = PT P’ (bisim2T t) 
bisim2Er : (e : ChoiceSet (E P’)) —> ChoiceSet (E P) 
bisimELabr : (e : ChoiceSet (E P’)) 

—> Lab P’ e = Lab P (bisim2Er e) 
bisimENextr : (e : ChoiceSet (E P’)) 
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bisim2lr 

bisimlNextr 

bisim2Tr 

bisim2TEqr 


—> Bisimsoo {i} (PE P (bisim2Er e)) (PE P’ e) 

(inti : ChoiceSet (I P’)) — * ChoiceSet (I P) 

(inti : ChoiceSet (I P’)) 

—» Bisimsoo {i} (PI P (bisim2lr inti)) (PI P’ inti) 
( t : ChoiceSet (T P’))^ ChoiceSet (T P) 

( t : ChoiceSet (T P’)) 

-A PT P’t = PT P (bisim2Tr t) 


Finally, bisimilarity for Processoo is bisimilarity of the underlying Process: 

record Bisimsoo {i : Siz e}{lu : LUniv}{c : Choice} 

(P P’ : Processoo oo { lu} c) : Set where 

coinductive 

field 

forceB : {j : Size< z}-> Bisims {j} {ht}(forcep P) (forcep P’) 


10.2 Defining Divergence-Respecting Weak 
Bisimilarity for CSP-Agda 

Strong bisimilarity as an equality on CSP processes is too strong. The pro¬ 
cesses r —» P and P should be in CSP equivalent, but they are usually 
not strongly bisimilar. For instance, if P has no internal choice we have 
that r — y P has a r-transition, whereas P doesn’t. In order to fix this one 
needs to move to weak bisimilarity, which essentially ignores finitely many 
r-transitions. 

However, there is still problem: Weak bisimilarity identifies processes 
which differ only in divergent processes. For instance the divergent process 
DIV, which has only a r-transition to itself, and the process STOP , which 
has no transitions, are weakly bisimilar, since the relation {(DIV, STOP)} 
is a weak bisimilarity. For DIV we have DIV = =>- P ■?=?■ (P = DIV A s = []) 
and for STOP we have STOP^P (P = STOP A s = []). However DIV 
and STOP are neither stable failures equivalent nor FDI-equivalent. One can 
show that weak bisimilarity implies trace equivalence. So weak bisimilarity 
only implies trace equivalence, but not stable failure or FDI equivalence. 

In order to fix this one introduces divergence-respecting weak bisimilarity, 
which is a slight strengthening of weak bisimilarity, by demanding in addition 
that for two weakly bisimilar processes, if one is divergent, then the other 
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is divergent as well. The definitions of weak and divergence-respecting weak 
bisimilarity in CSP can be found in Sect.2.4.5. 

In Agda we first use the definition of divergent process. We repeat the 
definition, which was already given in 9.3, for convenience: a process is di¬ 
vergent, if it has a infinitely many r-transitions as given by a coinductive 
definition: 

record DivergentProcessoo (z : Siz e){lu : LUniv}(c : Choice) 

(P : Processoo oo { lu } c) : Set where 

coinductive 

field 

forcediv : {j : Size< DivergentProcess j {lu} c (forcep P ) 


data DivergentProcess (z : S\ze){lu : LUniv}(c : Choice) 

: ( P : Process oo {lu} c ) —> Set where 
div : (P : Process-P oo c) (divP : DivergentProcess-!- i c P) 

—> DivergentProcess z c (node P) 


data DivergentProcess-!- (z : Size) {lu : LUniv}(c : Choice) 

(P : Process-P oo {lu} c ) : Set where 
div-P : (int : ChoiceSet (I P)) 

( divP : DivergentProcessoo z c (PI P int)) 

—> DivergentProcess-p i c P 

Since we are using constructive logic, we need to deal with the fact that 
the negation of divergence doesn’t imply that a process eventually becomes 
stable, a property which we need in order to prove that DRW-bisimilarity 
implies stable failure equivalence. In order to fix this we introduce a positive 
notion of non-divergence expressing that a process eventually becomes stable. 
We need as well for the property that for any subprocess obtained when 
following r-transitions we can decide whether there is a further r-transition 
or not, in order to be able to determine a stable subprocess. The definition 
is in Agda as follows: 

record NonDivergentoo {z : Size}{hz : LUniv}{c : Choice} 

(P : Processoo oo {lu} c) : Set where 

inductive 

field 

forceND : {j : Size< z}^ Non Divergent {j } (forcep P) 
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NonDivergent : {i : Size}{hz : LUniv}{c : Choice} 

(P : Process oo { lu } c) —> Set 
NonDivergent (terminate x) = T 
NonDivergent {z} (node Q ) = NonDivergent+ {z} Q 

data NonDivergent+ {z : Size}{hz : LUniv}{c : Choice} 

( P : Process-)- oo {lu} c) : Set where 
nondiv : ((inti : ChoiceSet (I P)) —> NonDivergentoo {z} (PI P inti)) 

—> (chemptyornot : ChoiceSet (I P) l±) —> (ChoiceSet (I P) )) 

—>• NonDivergent+ {z} P 

Note this extra condition chemptyornot , namely that it is decidable whe¬ 
ther there is an internal choice or not, and in case of yes we can determine an 
index for an internal choice. We need this in order to find for a non-divergent 
process a stable process which is reachable from it by r-transition - if the 
process has a r-transition we choose one (as given by chemptyornot ), and 
if it hasn’t we are at least stable in the sense of Schneider (Roscoe requires 
as well that there are no termination events). In general chemptyornot does 
not hold, it holds usually for explicitly given processes. 

Since in CSP-Agda processes are monadic, we need to make sure that the 
return values of terminated processes are the same. However, since in weak 
bisimilarity we ignore finitely many r-transitions, we need to treat a process 
having as only event a termination event as being equivalent to a terminated 
process with the same return value. Therefore we define more general what 
it means to be a termination equivalent process: 

• A process is termination equivalent with return value a, if all it can do 
is having finitely many r transitions after which it can always do either 
a termination event with return value a, or it becomes the terminated 
process with return value a. 

In addition we need that a termination equivalent process either has a 
silent transition, or has no silent transition and a termination event - if 
it had neither, it would be the STOP process which is not termination 
equivalent; if it had both, it could do two different things at the same 
time. 

• The process terminate a is weakly bisimilar to Q, iff Q is termination 
equivalent with return value a. 


a 
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TerminateEquivalentoo : {lu : LUniv}{c : Choice}(a : ChoiceSet c) 

(P : Processoo oo {lu} c ) —>• Set 
TerminateEquivalentoo a P = TerminateEquivalent a (forcep P) 


data TerminateEquivalent {lu : LUniv}{c : Choice}(a : ChoiceSet c) 

: (P : Process oo {lu} c ) —> Set where 
termeqterm : TerminateEquivalent a (terminate a) 
termeqnode : {P : Process+ oo {lu} c} 

(terequivP : TerminateEquivalent+ a P ) 

—> TerminateEquivalent a (node P) 


record TerminateEquivalent+ {lu : LUniv}{c : Choice}(a : ChoiceSet c) 
(P : Process-)- oo {lu} c ) : Set where 
inductive 
field 

noExtChoice 
onlylntChoice 


termlsa 

hasTauOrTickNoTau 


( e : ChoiceSet (E P)) —> _L 
(i : ChoiceSet (I P)) 

—> TerminateEquivalentoo a (PI P i) 

(t : ChoiceSet (T P)) —> a = PT P t 
ChoiceSet (I P) l±l 

(-1 (ChoiceSet (I P)) x ChoiceSet (T P)) 


We note here the condition hasTauOrTickNoTau. It expresses that we have 
an explicit internal choice, which we could use in order to find a Schneider 
stable process reachable by r-transitions only, or there is no internal choice, in 
which case we have a termination event which by termlsa must have return 
value a. This condition allows to find by following r-transition a process 
which has no r-transition but a /-event. 

We can now define that two processes are DRW-bisimilar, iff: 


• If the first process is the terminated process with return value a, then 
the other process is termination equivalent with return value a. The 
corresponding proof is denoted by eqterminate. 

• The same, with the two processes interchanged; the constructor for this 
proof is called eqterminater. 

• Two lion-terminated process are DRW-bisimilar, if the corresponding 
elements of Process-|- are so. 

o-o 
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We obtain the following definition of bisimilarity for Process: 

data Bisimw {z : Size}{/?z : LUniv}{c : Choice} 

: (P P’ : Process oo { lu } c) —>■ Set where 
eqterminate : {a : ChoiceSet c} —> {P ? : Process oo {lu} c} 

( terequiv : TerminateEquivalent a P’) 

—> Bisimw {z} (terminate a) P’ 
eqterminater : {a : ChoiceSet c} —* {P : Process oo {lu} c} 

( terequiv : TerminateEquivalent a P) 

—> Bisimw {z} P (terminate a) 
eqnode : {Q Q’ '■ Process-1- oo {lu} c} 

( bisimQQ’ : Bisimw+ {z} Q Q ’) 

—> Bisimw {z} (node Q) (node Q’) 

In case of Process-1-, two processes P and P' are DRW-bisimilar, iff the 
following holds: 

• If the process P is divergent, then P' is as well divergent, given by field 
bisimdiv below. 

• In case P is non-divergent, then P' is non-divergent, given by field 
nondiv-E below. 

• If P has an external choice with label l resulting in process Q, then 
P' has a trace [l\ resulting in a process Q' which is DRW-bisimilar to 
Q. This property is given by the three fields bisimEP’, bisimEtr, and 
bisimEnext. 

• If P has an internal choice resulting in process Q, then P' has a trace [] 
resulting in a process Q' which is DRW-bisimilar to Q. This property 
is given by the three fields bisimlP’, bisimltr, and bisimlnext. 

• If P has a termination event with return value a, then P' has a trace 
[] ending in a termination event with return value a (held bisimTtr). 

• In addition we have the same conditions, but with the processes in¬ 
terchanged (the held names are the same as before but with an “r” 
added). 

The definition of DRW-bisimilarity in case of Process-E in CSP-Agda is 
as follows: 

record Bisimw-E {z : Size}{hz : LUniv}{c : Choice} 
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coinductive 

field 

bisimdiv 

nondiv+ 

bisimEP’ 

bisimEtr 

bisimEnext 

bisimlP' 

bisimltr 

bisimlnext 

bisimTtr 

bisimdivr 

nondiv+r 

bisimEP’r 

bisimEtrr 

bisimEnextr 

bisimIP’r 

bisimltrr 

bisimlnextr 

bisimTtrr 


(P P ’: Process+ oo { lu } c) : Set where 


DivergentProcess+ i c P —> DivergentProcess+ i c P’ 
NonDivergent+ {z} P — > NonDivergent+ {z} P’ 

(e : ChoiceSet (E P)) —> Processoo oo {lu} c 
(e : ChoiceSet (E P)) 

—> P’ — >+*[ Lab P e :: [] ] (forcep (bisimEP’ e)) 

(e : ChoiceSet (E P)) 

—> Bisimwoo {z} (PE P e) (bisimEP’ e) 

( inti : ChoiceSet (I P)) —> Processcxc oo {lu} c 
(inti : ChoiceSet (I P)) 

—> P’ —>•+*[ [] ] (forcep (bisimlP’ inti)) 

( inti : ChoiceSet (I P)) 

—y Bisimwoo {z} (PI P inti) (bisimlP’ inti) 

(t : ChoiceSet (T P)) ->• TrP+ [] (inj 2 (PT P t)) P’ 
DivergentProcess+ z c P’ —> DivergentProcess+ z c P 
NonDivergent+ {z} P’ — > NonDivergent+ {z} P 
(e : ChoiceSet (E P’)) — > Processoo oo {lu} c 
(e : ChoiceSet (E P’)) 

—> TrP+ (Lab P’ e :: []) (inji (forcep (bisimEP’r e))) P 
(e : ChoiceSet (E P’)) 

—>■ Bisimwoo {z} (bisimEP'r e) (PE P’ e) 

( inti : ChoiceSet (I P’)) —)• Processoo oo {lu} c 
( inti : ChoiceSet (I P’)) 

—> TrP+ [] (inji (forcep (bisimIP’r inti))) P 
( inti : ChoiceSet (I P’)) 

—> Bisimwoo {z} (bisimIP’r inti) (PI P’ inti) 

(t : ChoiceSet (T P’)) -)• TrP+ [] (inj 2 (PT P’t)) P 


Here ^+*[_]_ stands for the following: 


_—>+*[_]_ : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c) 
(l: List (Label lu)) 

(Q : Process oo {lu} c) —>■ Set 
_-)•+*[_]_ {lu} {c} P l Q = TrP+ {lu} {c} l (inji Q) P 


Finally bisimilarity for Processoo is bisimilarity of the underlying Process: 


record Bisimwoo {z : Size}{hz : LUniv}{c : Choice} 

(P P ’: Processoo oo {lu} c) : Set where 
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coinductive 

field 

forceB : {j : Size< Bisimw (forcep P ) (forcep P’) 


10.3 Proof of Reflexivity for Strong Bisimi¬ 
larity 

Proof of reflexivity for strong bisimilarity is straightforward: 

Theorem 10.3.1 (Agda Theorem) 

BismsRefoo : {z : Siz e}{lu : LUniv}{c : Choice} 

(P : Processoo oo {lu } c) 

—> Bisimsoo {z} P P 

BismsRef : {z : Size}{/zz : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 

—> Bisims {z} P P 

BismsRef+ : {i : Size}{/zz : LUniv}{c : Choice} 

(P : Process+ oo {lu} c) 

—)■ Bisims+ {z} P P 

Proof: 

forceB (BismsRefoo P ) = BismsRef (forcep P ) 


BismsRef (terminate x) = eqterminate 
BismsRef (node P ) = eqnode (BismsRef+ P) 


bisim2E 

(BismsRef+ P) e = e 

bisimELab 

(BismsRef+ P) e — refl 

bisimENext 

(BismsRef+ P) e = BismsRefoo (PE P e ) 

bisim2l 

(BismsRef+ P) e = e 

bisimlNext 

(BismsRef+ P) e = BismsRefoo (PI P e ) 

bisim2T 

(BismsRef+ P) e = e 

bisim2TEq 

(BismsRef+ P) e = refl 

bisim2Er 

(BismsRef+ P) e = e 

bisimELabr 

(BismsRef+ P) e = refl 
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bisimENextr (BismsRef+ P) 
bisi m21 r (BismsRef+ P) 
bisimlNextr (BismsRef+ P ) 
bisim2Tr (BismsRef+ P) 
bisim2TEqr (BismsRef+ P) 


e = BismsRefoo (PE P e ) 

e = e 

e = BismsRefoo (PI P e ) 
e = e 
e = refl 


10.4 Proof of Reflexivity for Divergence-Respecting 
Weak Bisimilarity 

A proof that divergence-respecting weak bisimilarity is reflexive, is again 

straightforward: 

Theorem 10.4.1 (Agda Theorem) 

BismwRefoo : {i : Size}{hz : LUniv}{c : Choice} 

(P : Processoo oo {lu } c) 

—> Bisimwoo {z} P P 

BismwRef : {i : Size}{/i/ : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 

—> Bisimw {z} P P 

BismwRef+ : {i : Size}{/?x : LUniv}{c : Choice} 

(P : Process-1- oo {lu} c ) 

—> Bisimw+ {z} P P 

Proof: 

forceB (BismwRefoo {z} {lu} P ) {]} = BismwRef {j} {lu} (forcep P) 


BismwRef (terminate x) = eqterminate termeqterm 
BismwRef (node x ) = eqnode (BismwRef+ x) 


bisimdiv (BismwRef+ P) e = e 
nondiv+ (BismwRef-l- P) e = e 
bisimEP' (BismwRef+ P) e = PE P e 
bisimEtr (BismwRef+ P) e = 
extc [] (injx (forcep (PE P e))) e (refITrPoo (PE P e)) 
bisimEnext (BismwRef+ P) e = BismwRefoo (PE P e) 
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bisimlP’ (BismwRef+ P) i = PI P i 
bisimltr (BismwRef+ P) e = 
intc [] (inji (forcep (PI P e))) e (refITrPoo (PI P e)) 
bisimlnext (BismwRef+ P) e = BismwRefoo (PI P e ) 
bisimTtr (BismwRef+ P) e = terc e 
bisimdivr (BismwRef+ P) e = e 
nondiv+r (BismwRef+ P) e = e 
bisimEP’r (BismwRef+ P) e = PE P e 
bisimEtrr (BismwRef+ P) e = 
extc [] (inji (forcep (PE P e) )) e (refITrPoo (PE P e)) 
bisimEnextr (BismwRef+ P) e = BismwRefoo (PE P e ) 
bisimIP'r (BismwRef+ P) i = PI P i 
bisimltrr (BismwRef+ P) e = 
intc [] (injx (forcep (PI P e) )) e (refITrPoo (PI P e)) 
bisimlnextr (BismwRefT P) e = BismwRefoo (PI P e ) 
bisimTtrr (BismwRef+ P) e = terc e 


10.5 Proof of Symmetry for Divergence-Respecting 
Weak Bisimilarity 

Note that in case of strong bisimilarity, the definition 10.1 is symmetric. So, 
if R is a bisimilarity, then R v is. Therefore we obtain a straightforward 
proof that divergence-respecting weak bisimilarity is symmetric: 

Theorem 10.5.1 (Agda Theorem) 

BismwSymoo : : Size}{Z« : LUniv} 

{c : Choice} 

(P P’ : Processoo oo { lu } c) 

(PP’ : Bisimwoo {«} P P’) 

—> Bisimwoo {*} P’ P 

BismwSym : {i : Size}{/?/ : LUniv}{c : Choice} 

(P P’: Process oo {lu} c ) 

(PP’: Bisimw {z} P P’) 

—> Bisimw {*} P’ P 

BismwSym+ : {i : Size}{Zrz : LUniv}{c : Choice} 

(P P’: Process-1- oo {lu} c) 

(PP’ : Bisimw+ {z} P P’) 
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—>■ Bisimw+ {z} P’ P 


Proof: 

forceB (BismwSymoo P P’ PP’) = BismwSym (forcep P) 

(forcep P’) (forceB PP’) 


BismwSym (terminate x) (terminate .x) (eqterminate termeqterm) = 
eqterminate termeqterm 

BismwSym (terminate x) (terminate .x) (eqterminater termeqterm) = 
eqterminater termeqterm 

BismwSym (terminate x) (node P’) (eqterminate (termeqnode terequivP )) = 
eqterminater (termeqnode terequivP) 

BismwSym (node P) (terminate x) (eqterminater (termeqnode terequivP)) = 
eqterminate (termeqnode terequivP) 

BismwSym (node P) (node P’) (eqnode PP’) = eqnode (BismwSym+ P P’ PP 

bisimdiv (BismwSym+ P P’ PP’) = bisimdivr PP’ 

nondiv+ (BismwSym+ P P’ PP’) = nondiv+r PP’ 

bisimEP’ (BismwSym+ P P’ PP’) = bisimEP’r PP’ 

bisimEtr (BismwSym+ P P’ PP ) = bisimEtrr PP’ 

bisimEnext (BismwSym+ P P’ PP’) e = 

BismwSymoo (bisimEP’r PP’ e) (PE P’ e) (bisimEnextr PP’ e) 
bisimlP’ (BismwSym+ P P’ PP’) = bisimIP’r PP’ 

bisimltr (BismwSym+ P P’ PP’) = bisimltrr PP’ 

bisimlnext (BismwSym+ P P’ PP’) e = 

BismwSymoo (bisimIP’r PP’ e) (PI P’ e) (bisimlnextr PP’ e) 
bisimTtr (BismwSym+ P P’ PP’) = bisimTtrr PP’ 
bisimdivr (BismwSym+ P P’ PP’) = bisimdiv PP’ 
nondiv+r (BismwSym+ P P’ PP’) = nondiv+ PP’ 
bisimEP’r (BismwSym+ P P’ PP’) = bisimEP' PP’ 
bisimEtrr (BismwSym+ P P’ PP’) = bisimEtr PP’ 
bisimEnextr (BismwSym+ P P’ PP’) e = 

BismwSymoo (PE P e) (bisimEP’ PP’ e) (bisimEnext PP’ e) 
bisimIP’r (BismwSym+ P P’ PP’) = bisimlP’ PP’ 
bisimltrr (BismwSym+ P P’ PP’) = bisimltr PP’ 
bisimlnextr (BismwSym+ P P’ PP’) e = 

BismwSymoo (PI P e) (bisimlP’ PP’ e) (bisimlnext PP’ e) 
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bisimTtrr (BismwSym+ P P’ PP’) = bisimTtr PP’ 


10.6 Proof that Strong Bisimilarity Implies 
Divergence-Respecting Weak Bisimilar¬ 
ity 

It is a quite natural consequence of the definitions that every strong bisimula¬ 
tion is a DRW-bisimulation, and therefore strong bisimilarity implies DRW- 
bisimilarity. For example, it is straightforward to show that, if P and Q are 
strongly bisimilar, then (P ff Q ft). A proof that strong bisimilarity 
implies divergence-respecting weak bisimilarity is as follows: 

Theorem 10.6.1 (Agda Theorem) 
bisimsToBismwoo : {z : Size}{/zz : LUniv}{c : Choice} 

( P P’ : Processoo oo { lu } c) 

— y Bisimsoo {z} P P’ 

—y Bisimwoo {z} P P’ 

bisimsToBismw : {z : Size}{Zzz : LUniv}{c : Choice} 

( P P’ : Process oo { lu}c ) 

— y Bisims {z} P P’ 

—> Bisimw {z} P P’ 

bisimsToBismw-!- : {z : Siz e}{lu : LUniv}{c : Choice} 

(P P’ : Process-)- oo {lu} c ) 

—> Bisims+ {z} P P’ 

—>■ Bisimw+ {z} P P’ 


Proof: 

forceB (bisimsToBismwoo {z} P P’ PP’) {j} = bisimsToBismw 
(forcep P) (forcep P’) (forceB PP’ {j }) 


bisimsToBismw .(terminate a) .(terminate a) (eqterminate {a}) = 
eqterminate termeqterm 

bisimsToBismw .(node Q ) .(node Q’) (eqnode {Q} {Q’} x) = 
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eqnode (bisimsToBismw+ Q Q’ x) 


bisimdiv (bisimsToBismw+ P P’ PP’) = divLemBisims+ P P’ PP’ 

nondiv+ (bisimsToBismw+ P P’ PP’) = nondivLemBisims+ P P’ PP’ 

bisimEP’ (bisimsToBismw+ P P’ PP’) e = PE P’ (bisim2E PP’ e) 

bisimEtr (bisimsToBismw+ P P’ PP’) e rewrite (bisimELab PP’ e) = 

extc [] (injj (forcep (PE P’ (bisim2E PP’ e)))) 

(bisim2E PP’ e)(reflTrPoo (PE P’ (bisim2E PP’ e))) 
bisimEnext (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PE P e) (PE P’ (bisim2E PP’ e)) 
(bisimENext PP’ e) 

bisimlP’ (bisimsToBismw+ P P’ PP’) e = PI P’ ( bisim2l PP’ e) 

bisimltr (bisimsToBismw+ P P’ PP ) e — 

intc [] (( i n j i (forcep (PI P’ (bisi m21 PP’ e))))) 

(bisim2l PP’ e)(reflTrPoo ((PI P’ (bisi m21 PP’ e )))) 
bisimlnext (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PI P e) (PI P’ (bisim2l PP’ e)) 
(bisimlNext PP’ e) 

bisimTtr (bisimsToBismw+ P P’ PP’) t rewrite (bisim2TEq PP’t) = 
terc (bisim2T PP’t) 

bisimdivr (bisimsToBismw+ P P’ PP’) = divLemBisims+r P P’ PP’ 

nondiv+r (bisimsToBismw+ P P’ PP ) = nondivLemBisims+r P P’ PP’ 

bisimEP’r (bisimsToBismw+ P P’ PP’) e = PE P (bisim2Er PP’ e) 
bisimEtrr (bisimsToBismw+ P P’ PP’) e rewrite (bisimELabr PP’ e) — 
extc [] (inji (forcep (PE P (bisim2Er PP’ e)))) 

(bisim2Er PP’ e)(reflTrPoo (PE P (bisim2Er PP’ e))) 
bisimEnextr (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PE P (bisim2Er PP’ e)) (PE P’e) 
(bisimENextr PP’ e) 

bisimIP’r (bisimsToBismw+ P P’ PP’) e = PI P ( bisi m21 r PP’ e) 
bisimltrr (bisimsToBismw+ P P’ PP’) e — 

intc [] (injx (forcep (PI P (bisi m21 r PP’ e)))) 

(bisim2lr PP’ e) (refITrPoo (PI P (bisi m21 r PP’ e))) 
bisimlnextr (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PI P (bisi m21 r PP’ e)) (PI P’ e) 
((bisimlNextr PP’ e)) 

bisimTtrr (bisimsToBismw+ P P’ PP’) t rewrite (bisim2TEqr PP’t) = 
terc (bisim2Tr PP’t) 


a 
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10.7 Bisimilarity Implies Trace Equivalence 

As we have seen before, weak bisimilarity can not distinguish between the 
primitive processes like STOP and DIV. In fact weak bisimilarity does not 
imply any CSP semantic equality other than trace equivalence. However, 
divergence-respecting weak bisimilarity respect all such models: if two LTS 
nodes are divergence-respecting weakly bisimilar, they are equivalent in all 
standard CSP semantics. Here we prove that strong and divergence-respecting 
weak bisimilarity imply trace equivalence. 


10.7.1 Strong Bisimilarity Implies Trace Equivalence 

We give here a proof that strong bisimilarity implies trace equivalence. Since 
the proof that strong bisimilarity implies trace equivalence is more straight¬ 
forward and natural, we give the direct proof here. 

The proof is obtained by taking a trace for one process and replacing each 
step by steps in the other process. The proof that strong bisimilarity implies 
refinement with respect to traces is as follows: 

SbisimTraceEqoo : {lu : LUniv}{c : Choice}(P P ’: Processoo oo { lu } c) 

(PP ’: Bisimsoo {oo} P P’) —> P Coo P’ 

SbisimTraceEqoo {lu}{c} P P’ PP’ l m tr = SbisimTraceEq 
(forcep P) (forcep P’) (forceB PP’) l m tr 


SbisimTraceEq 

SbisimTraceEq 

SbisimTraceEq 

SbisimTraceEq 

SbisimTraceEq 


{lu : LUniv}{c : Choice}(P P’ : Process oo c) 

(PP’ : Bisims {oo} P P’) ^ P \Z P’ 

.(terminate x) .(terminate x) eqterminate 

.[] .(just x ) (ter x) = ter x 

.(terminate x) .(terminate x) eqterminate 

.[] .nothing (empty x) = empty x 

.(node P) .(node P’) (eqnode {P} {P’} PP’) 

.[] .nothing (tnode empty) = tnode empty 

{lu}{c} .(node P) .(node P’) (eqnode {P} {P’} PP’) 

.(Lab P’ x :: l) me (tnode (extc l .me x tr 2 ’)) = tnode tr 


where 

Q’ : Processoo oo {lu} c 
Q’ = PE P’x 


o- 
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Q : Processoo oo {lu} c 
Q = bisimEP'r (bisimsToBismw+ P P’ PP’) x 

QQ’ : Bisimwoo Q Q' 

QQ’ = bisimEnextr (bisimsToBismw+ P P’ PP’) x 

tri : P — »+*[ Lab P’ x :: [] ] (forcep Q) 

tr x = bisimEtrr (bisimsToBismw+ P P’ PP’) x 

tr 2 ” : Trcx) {lu}{c} l me Q’ 
tr 2 ” = tr 2 ’ 

tr 2 : Troo {lu}{c} l me Q 

tr 2 = bisimTraceEqoo {7«}{c} Q Q' QQ' l me tr 2 ” 
tr : Tr+ {/n}{c} (Lab P’ x :: 1) me P 

tr = traceAppendTrw+ c P (forcep Q) (Lab P’ x :: []) l me tri tr 2 

SbisimTraceEq {lu}{c} .(node P) .(node P’) (eqnode {F} {F ; } PP’) 
l me (tnode (intc .1 .me x tr 2 ’)) = tnode tr 

where 

Q' : Processoo oo { lu } c 
Q’ = PI P’x 


Q : Processoo oo {lu} c 
Q = bisimIP’r (bisimsToBismw+ P P’ PP’) x 

QQ’ : Bisimwoo Q Q’ 

QQ’ = bisimlnextr (bisimsToBismw+ P P’ PP’) x 

tr! : P ->+*[ [] ] (forcep Q) 

tri = bisimltrr (bisimsToBismw+ P P’ PP’) x 

tr 2 " : Troo { lu}{c } l me Q' 
tr 2 " = tr 2 ’ 

tr 2 : Troo {lu}{c} l me Q 

tr 2 = bisimTraceEqoo {lu}{c} Q Q’ QQ’ l me tr 2 ” 


O 


tr : Tr+ {lu}{c} ([] TT l) me P 

tr = traceAppendTrw+ c P (forcep Q) [] l me tri tr 2 


o 
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SbisimTraceEq .(node P ) .(node P’) (eqnode {F} {P’} PP’) 
.[] .(just (PT P’ x)) (tnode (terc x )) = 
tnode (trPtoTr+ [] (inj 2 (PT P’ x)) P tTi) 

where 

tn : TrP+ [] (inj 2 (PT P’x)) P 

tr x = bisimTtrr (bisimsToBismw+ P P’ PP’) x 


10.7.2 Divergence-Respecting Weak Bisimilarity Im¬ 
plies Trace Equivalence 

The proof, that divergence-respecting weak bisimilarity implies trace equiv¬ 
alence is similar to the one before, and the first cases are straightforward. In 
case of external and internal choice, we have to define the trace by combining 
the traces from process P to subprocess Q with the trace from a process Q to 
the maybe terminated process me. A proof that divergence-respecting weak 
bisimilarity implies trace equivalence is as follows: 


Theorem 10.7.1 (Agda Theorem) 
bisimTraceEqoo : {lu : LUniv}{c : Choice} 

(P P’ : Processoo oo {lu} c ) 
(PP’ : Bisimwoo {oo} P P’) 

—► P Coo P’ 

bisimTraceEq : {lu : LUniv}{c : Choice} 

(P P’ : Process oo c) 

(PP ’: Bisimw {oo} P P’) 

->• PC P’ 


bisimTraceEq+ : {lu : LUniv}{c : Choice} 

(P P’ : Process-1- oo c) 
(PP’: Bisimw+ {oo} P P’) 

-)• PC+ P’ 


Proof: 

bisimTraceEqoo P P’ PP’ l m tr = bisimTraceEq (forcep P) 

(forcep P ’) (forceB PP’ {oo}) l m tr 
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bisimTraceEq .(terminate x) .(terminate x ) (eqterminate termeqterm) 

.[] .(just x) (ter x) = ter x 

bisimTraceEq P .(terminate x) (eqterminater terequivP ) 

.[] .(just x) (ter x) = 
termEquivalentlmpliesTrace P terequivP 
bisimTraceEq .(terminate x) .(terminate x) (eqterminate termeqterm) 

.[] .nothing (empty x) = empty x 
bisimTraceEq P .(terminate x) (eqterminater terequivP) 

.[] .nothing (empty x) = 
termEquivalentlmpliesTraceEmpty P terequivP 
bisimTraceEq .(terminate a) .(node P) (eqterminate {a} terEquivP ) 

.1 .x (tnode {/} {x} {P} tr ) = 
termEquivalentTracelsTerTrace+ P l terEquivP tr 
bisimTraceEq .(node Q) .(node Q’) (eqnode { Q } {Q’} QQ’ ).[] .nothing 
(tnode {.[]} {.nothing} {.Q’} empty) = tnode empty 
bisimTraceEq {lu}{c} .(node P) .(node P’) (eqnode {P} {P’} PP’) 

.(Lab P’ x :: l) .me (tnode (extc l me x tr 2 ’)) = tnode tr 

where 

Q’ : Processoo oo {lu} c 
Q’ = PE P’x 


Q : Processoo oo {lu} c 
Q = bisimEP’r PP’ x 

QQ’ : Bisimwoo Q Q’ 

QQ’ = bisimEnextr PP’ x 

tr! : P —>■+*[ Lab P’ x :: [] ] (forcep Q) 
tr! = bisimEtrr PP’ x 

tr 2 " : Troo {lu} {c} l me Q’ 
tr 2 ” = tr 2 ’ 

tr 2 : Troo {lu} {c} l me Q 

tr 2 = bisimTraceEqoo {lu} {c} Q Q' QQ’ l me tr 2 ” 

tr : Tr+ {lu} {c} (Lab P’ x :: l) me P 

tr = traceAppendTrw+ c P (forcep Q) (Lab P’ x :: []) 

l me tr! t r 2 


a 
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bisimTraceEq { lu } {c} .(node P ) .(node P’) (eqnode {F} {P’} PP’) 
l me (tnode (into .1 .me x tr 2 ’)) = tnode tr 

where 

Q’ : Processoo oo {lu} c 
Q’ = PI P’x 


Q : Processoo oo {lu} c 
Q = bisimIP’r PP’ x 

QQ' : Bisimwoo Q Q' 

QQ’ = bisimlnextr PP’ x 

tr x : P -)>+*[ [] ] (forcep Q) 
tri = bisimltrr PP’ x 

tr 2 : Troo {lu} {c} l me Q 

tr 2 = bisimTraceEqoo {4/}{c} Q Q' QQ’ l me tr 2 ’ 

tr : Tr+ {lu}{c} ([] TT l) me P 

tr = traceAppendTrw+ c P (forcep Q) [] l me tri tr 2 

bisimTraceEq {lu}{c} .(node P) .(node P’) (eqnode { P } {F’} PP’) 
.[] .(just (PT P’ x)) (tnode {.[]} {.(just (PT P’ x))} 
{.F} (terc x)) = 

tnode (trPtoTr+ [] (inj 2 (PT P’ x)) P tri) 

where 

tr x : TrP+ [] (inj 2 (PT P’x)) P 
tri = bisimTtrr PP’ x 


bisimTraceEq+ F P’ PP ’ .[] .nothing empty = empty 

bisimTraceEq+ { lu}{c } F P’ PP’ .(Lab P’ x :: 4) m (extc 4 .m x tr 2 ’) = tr 

where 

Q’ : Processoo oo {lu} c 
Q’ = PE P’x 


o 


Q : Processoo oo {lu} c 
Q = bisimEP’r PP’ x 


-o 
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QQ' : Bisimwoo Q Q' 

QQ’ = bisimEnextr PP’ x 

tr x : P — >+*[ Lab P’ x :: [] ] (forcep Q) 
tri = bisimEtrr PP’ x 

tr 2 ” : Troo { lu}{c } k m Q’ 
tr 2 ” = tr 2 ’ 

tr 2 : Troo km Q 

tr 2 = bisimTraceEqoo {/?/}{c} Q Q' QQ' k m tr 2 ” 

tr : Tr+ {lu}{c} (Lab P’ x :: k) m P 
tr = traceAppendTrw+ c P (forcep Q) 

(Lab P’ x :: []) k m tri tr 2 

bisimTraceEq+ P P’ PP’ l m (intc .1 .m x tr 2 ’) = tr 

where 

Q’ : Processoo oo { lu } c 
Q’ = PI P’x 


Q : Processoo oo {lu} c 
Q = bisimIP’r PP’ x 

QQ’ : Bisimwoo Q Q' 

QQ’ = bisimlnextr PP’ x 

tri : P -t+*[ [] ] (forcep Q) 
tr! = bisimltrr PP’ x 

tr 2 : Troo {/u}{c} l m Q 

tr 2 = bisimTraceEqoo Q Q’ QQ’ l m tr 2 ’ 

tr : Tr+ {lu}{c} ([] TT l) m P 

tr = traceAppendTrw+ c P (forcep Q) [] l m tr x tr 2 

bisimTraceEq+ P P’ PP’ .[] .(just (PT P’t)) (terc t) = 

trPtoTr+ [] (inj 2 (PT P’t)) P tr x 

where 

tr x : TrP+ [] (inj 2 (PT P’t)) P 
tr x = bisimTtrr PP’t 


a 
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We obtain by symmetry of DRW-bisimulation as well refinement in the 
other direction: 

bisimTraceEqoor : {lu : LUniv}{c : Choice}(P P’ : Processoo oo { lu } c) 

(PP’ : Bisimwoo { 00 } P P’) —>• P’ Coo P 
bisimTraceEqoor P P’ PP’ = bisimTraceEqoo P’ P (BismwSymoo P P’ PP’) 

bisimTraceEq+r : {lu : LUniv}{c : Choice}(P P’: Process+ 00 {lu} c) 

(PP’ : Bisimw+ { 00 } P P’) —> P’ C+ P 
bisimTraceEq+r P P’ PP’ = bisimTraceEq+ P’ P (BismwSym+ P P’ PP’) 

bisimTraceEqr : {lu : LUniv}{c : Choice}(P P’ : Process 00 {lu} c) 

(PP’: Bisimw { 00 } P P’) ^ P’ \Z P 
bisimTraceEqr P P’ PP’ = bisimTraceEq P’ P (BismwSym P P’ PP’) 

This implies that DRW-bisimulation implies trace equivalence equiva¬ 
lence: 

Theorem 10.7.2 (Agda Theorem) 
bisimTraceEqoo= : {lu : LUniv}{c : Choice} 

(P P’ : Processoo 00 {lu} c) 

(PP’: Bisimwoo { 00 } P P’) 

+ Peoo P’ 

bisimTraceEq+= : {lu : LUniv}{c : Choice} 

(P P’ : Process+ 00 {lu} c) 

(PP’: Bisimw+ { 00 } P P’) 

-+ P=+ P’ 

bisimTraceEq= : {lu : LUniv}{c : Choice} 

(P P’ : Process 00 {lu} c) 

(PP’: Bisimw { 00 } P P’) 

-+ P= P’ 


Proof: 

bisimTraceEqoo= P P’ PP’ = bisimTraceEqoo P P’ PP’ , 

bisimTraceEqoor P P’ PP’ 


o 


o 
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bisimTraceEq+= P P’ PP’ = bisimTraceEq+ P P’ PP’ , 

bisimTraceEq+r P P’ PP’ 


bisimTraceEq= P P’ PP’ = bisimTraceEq P P’ PP’ , 

bisimTraceEqr P P’ PP’ 

We can get now an alternative proof that strong bisimilarity implies trace 
equivalence: 

Theorem 10.7.3 (Agda Theorem) 
bisimTraceEqsoo= : {lu : LUniv}{c : Choice} 

(P P’ : Processoo oo {lu} c) 

( PP ’ : Bisimsoo {oo} P P’) 

—> P =oo P’ 


bisimTraceEqs+= : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c ) 
(PP’ : Bisims+ {oo} P P ’) 

->■ P=+ P’ 

bisimTraceEqs= : {lu : LUniv}{c : Choice} 

(P P’ : Process oo {lu} c ) 
(PP’ : Bisims {oo} P P’) 
P=P’ 


Proof: 

bisimTraceEqsoo= P P’ PP’ = 

bisimTraceEqoo= P P’ (bisimsToBismwoo P P’ PP’) 

bisimTraceEqs+= P P’ PP’ = 

bisimTraceEq+= P P’ (bisimsToBismw+ P P’ PP’) 

bisimTraceEqs= P P’ PP’ = 

bisimTraceEq= P P’ (bisimsToBismw P P’ PP’) 


a 
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10.8 Proof of Lemma 2.4.6 Part 1 

In Sect. 2.4.5 we proved the Key Lemma for DRW bisimulation (Lemma 
2.4.6) as taken from Roscoe [2010, 1998]. This lemma shows that DRW- 
bisimilarity respects stable states. In this section, we will go through the 
proof using standard CSP, and then prove it step by step in Agda. We 
repeat Lemma 2.4.6, but with the bisimilarity R replaced by ~, since we will 
later use R denote a process: 

Lemma (repetition of Lemma 2-4-6) Let ~ be a DRW-bisimulation. 

• V P,P',Q G S'.V 5 G E *S.P ~ P' A P Q 

=^- 3 Q' G S' . P' =>- Q' A Q ~ Q' A (stable(<5) =>■ stable(<5 / )) 

• V P,P',Q' G S'.M x gE * y .P ~ p< a P' Q' 

3 Q G S' . P =$■ Q A Q ~ Q' A (stable(Q') stablc((5)) 

In chapter 2 we proved the first direction for normal CSP. In this section, 
in order to motivate the Agda proof, repeat this proof step by step, but for 
the second direction, and show how each step is proved in Agda. 

Assume we have the following: 

P ~ P' A P' Q' A stable(g') (*) 

Then by ~ being a DRW-bisimulation we obtain a Q such that 

Q ~ Q' A P <5 

By Q rs_/ Q / Astable(<5') we get Q' and therefore as well Q are non-divergent 
processes. 

Therefore there exists Q such that 
Q Q A stable ( Q) 

By Q rs_/ Q' there exists Q', such that Q' Q 1 and Q rs./ Q '• By 
stability of (T/ we get (/ = Therefore we get stable(Q) and Q ~ 6/. 

In case we just hat in (*) Q' without stability, we just get Q which is 
DRW-bisimilar to Q' and a trace s from P to Q. 

In figure 10.1, we display the situation, except that the processes are called 
R, R',.. . instead of Q, Q',... in order to coincide with the notation used in 
Agda (where we work directly with bisimilarity instead of bisimulation, so 
there is no occurrence of the relation R). So we have two process P and P' 
which are bisimilar, and we have a subprocess R' and trace from P' to R' 
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R } 

V 


tr2 (r only) 


(R ) 

i"' 


RR' 


tr\ 


P PP' 


R' 

T 


{R! 


tr[ 


J P' 


Figure 10.1: Proof of Lemma 2.4.6 


where R' is stable. By bisimilarity, we can obtain a process R and a trace 
from P to R such that R and R' are bisimilar. The subprocess R may be 
stable or can do r-events to reach R , which is stable and bisimilar to R'. 

In this Section we prove this lemma in Agda, however only obtaining 
Schneider instead of Roscoe stability. In Section 10.9 we will show that we 
obtain Roscoe stability. There we will prove as well the theorem, in case we 
don’t assume stability Q' and therefore don’t get stability for the resulting 
process. 

In the first stage of the proof, we need to define the process R as shown 
in the figure 10.1, in Agda we define it as follows: 

bisimTraceTrPooi : {lu : LUniv}{c : Choice}(.P P’ : Processoo oo c) 

(PP’: Bisimwoo {oo} P P’)(l : List (Label lu)) 

(tick : Process oo {lu} c l±) ChoiceSet c) 

(tr : TrPoo l tick P’) 

—> Process oo {lu} c l±) ChoiceSet c 
bisimTraceTrPooi P P’ PP’ l x tr = bisimTraceTrPi (forcep P) 

(forcep P’) 

(forceB PP’) 
l x tr 


bisimTraceTrPi : {lu : LUniv}{c : Choice}(P P ’: Process oo {lu} c) 


a 
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(PP’ : Bisimw {oo} P P ’) 

(l : List (Label lu)) 

( tick : Process oo {lu} c l±l ChoiceSet c) 

( tr : TrP l tick P’) 

—>• Process oo {lu} c l±l ChoiceSet c 
bisimTraceTrPi .(terminate y) (terminate a;)(eqterminate {y} x\) 

.[] . ( inj 2 x) (ter .x) = inj 2 y 

bisimTraceTrPi P (terminate x) (eqterminater termequivP ) 

.[] . ( inj 2 x) (ter .x) = 
termequivPToTicki x P termequivP 
bisimTraceTrPi .(terminate y) (terminate x) 

(eqterminate {y} zi) .[] 

.( inj! (terminate a;))(empty .x) 

= injx (terminate y) 

bisimTraceTrPi P (terminate x) (eqterminater termequivP) .[] 

.(inji (terminate x)) (empty .x) = 
termequivPToTicki’ x P termequivP 
bisimTraceTrPi .(terminate a) (node P’) 

(eqterminate {a} nodexTerEquiv) 
l (inji x) (tnode tr) = inji (terminate a) 
bisimTraceTrPi .(terminate a) (node P’) 

(eqterminate {a} nodexTerEquiv) 
l (inja y) (tnode tr) = inj 2 a 
bisimTraceTrPi (node P) (node P’) 

(eqnode {P} PP’) l tick 

(tnode tr) = bisimTraceTrPi+ P P’ PP’ l tick tr 

bisimTraceTrPi+ : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo c) 

(PP’ : Bisimw+ {oo} P P’) 

(l : List (Label lu)) 

(tick : Process oo {lu} c l±) ChoiceSet c) 

(tr : TrP+ l tick P’) 

—>■ Process oo {lu} c l±) ChoiceSet c 
bisimTraceTrPi+ P P’ PP’ .[] .(inji (node P’)) empty = 

(inji (node P)) 

bisimTraceTrPi+ V u }{ c } P P’ PP’ 

.(Lab P’ x l) tick (extc l .tick x tr) = 
bisimTraceTrPooi R R’ RR' l tick tr 
module bisimETraceTrPi+auxmodule where 


o 
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R' : Processoo oo c 
R’ = PE P’x 


R : Processoo oo c 
R = bisimEP’r PP’ x 

RR' : Bisimwoo {00} R R’ 

RR’ = bisimEnextr PP’ x 

bisimTraceTrPi+ {lu}{c} P P’ PP’ l tick 
(intc .1 .tick x x\) = 
bisimTraceTrPooi R R' RR' l tick x\ 
module bisimITraceTrPx+auxmodule where 
R' : Processoo 00 c 
R’ = PI P’x 


R : Processoo 00 c 
R = bisimIP’r PP’ x 

RR' : Bisimwoo { 00 } R R' 

RR’ = bisimlnextr PP’ x 

bisimTraceTrP 1 + P P’ PP’ .[] ,(inj 2 (PT P’ x)) 

(terc x) = inj 2 (PT P’ x) 

Then we have to define the trace connecting the process P with the 
process R as shown in the previous figure, and this is defined in CSP-Agda 
as follows: 

bisimTraceTrPoo 2 : {lu : LUniv}{c : Choice}(P P’ : Processoo 00 c) 

{PP’ : Bisimwoo { 00 } P P’){1 : List (Label lu)) 

{tick : Process 00 {lu} c l±) ChoiceSet c) 

{tr : TrPoo l tick P’) 

—y TrPoo l (bisimTraceTrPooi P P’ PP’ l tick tr) P 
bisimTraceTrPoo 2 P P’ PP’ l x tr = bisimTraceTrP 2 (forcep P) 

(forcep P’) 

(forceB PP’) 
l x tr 


bisimTraceTrP 2 : {lu : LUniv}{c : Choice} 


a 


o 
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—> TrP l (bisi 
bisimTraceTrP 2 


(P P’ : Process oo { lu } c) 

(PP’ : Bisimw {oo} P P’) 

(l: List (Label lu)) 

( tick : Process oo {lu} c l±l ChoiceSet c) 

( tr : TrP l tick P’) 
mTraceTrPi P P’ PP’ l tick tr) P 
.(terminate y) .(terminate x) 

(eqterminate {y} x\) 

.[] .(inj 2 x) (ter x) = ter y 
bisimTraceTrP 2 P .(terminate x) 

(eqterminater termequivP) 

■0 ( in j2 x) 

(ter x) = termequivPToTick 2 x P termequivP 
bisimTraceTrP 2 .(terminate y) .(terminate x) 

(eqterminate {y} x\) 

.[] . ( inji (terminate a;))(empty x) = empty y 
P .(terminate x) 

(eqterminater termequivP) .[] 

.(inj! (terminate x)) (empty x) = 
termequivPToTick 2 ' x P termequivP 
{lu} {c} .(terminate a) .(node P’) 

(eqterminate {a} termequivP) l 
(inji x) (tnode {./} {.( inj! x)} {P’} tr) 
rewrite 

(lemmaTraceTerminationEquivalentEmpty+' 
clP’{\nh x) a termequivP tr) = empty a 
{/n}{c} .(terminate a) .(node P’) 

(eqterminate {a} termequivP) l 
(inj 2 y) (tnode {.[} {.(inj 2 y)} {P} tr) 
rewrite 

(lemmaTraceTerminationEquivalentEmpty+' c IP’ 
(inj 2 y) a termequivP tr) = ter a 
{lu}{c} .(node P) .(node P’) 

(eqnode {P} {P’} PP’) l tick 
(tnode tr) = 

tnode (bisimTraceTrP 2 + P P’ PP’ l tick tr) 


bisimTraceTrPg 


bisimTraceTrPg 


bisimTraceTrPo 


bisimTraceTrPg 


bisimTraceTrP 2 + : {lu : LUniv}{c : Choice} 

(P P ’: Process+ oo c) 

( PP ’: Bisimw+ {oo} P P’) 


a 


-o 
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(l : List (Label lu)) 

(tick : Process oo {lu} c l±J ChoiceSet c) 

(tr : TrP+ l tick P’) 

—> TrP+ l (bisimTraceTrPx+ P P’ PP’ l tick tr) P 
bisimTraceTrP 2 + P P’ PP ’ .[] .(inji (node P’)) empty = empty 
bisimTraceTrP 2 + {/u}{c} P P’ PP’ .(Lab P’ x :: l ) 
tick (extc l .tick x tr i ’) = tr 
module bisimETraceTrP 2 +auxmodule where 
R' : Processoo oo c 
R’ = PE P’x 


R : Processoo oo c 
R = bisimEP’r PP’ x 

RR' : Bisimwoo {00} R R' 

RR’ = bisimEnextr PP’ x 

Rhat : Process 00 {lu} c l±l ChoiceSet c 
Rhat = bisimTraceTrPx (forcep R) 

(forcep (PE P’ x)) (forceB RR') l tick tr\ ’ 
tri : P — >•+*[ Lab P’ x :: [] ] (forcep R) 
tri = bisimEtrr PP’ x 

tr 2 : TrPoo {lu}{c} l Rhat R 
tr 2 = bisimTraceTrP 2 (forcep R) (forcep (PE P’ x)) 
(forceB RR’) l tick tr\ ’ 

tr : TrP+ (Lab P’ x :: l ) Rhat P 

tr = trPAppendTrw+ c P (forcep R) (Lab P’ x :: []) l 

Rhat tr x tr 2 

bisimTraceTrP 2 + P P’ PP’ l 

tick (intc .1 .tick x tr 2 ’) = tr 
module bisimlTraceTrP 2 +auxmodule where 
R' : Processoo 00 c 

R' = PI P’x 

R : Processoo 00 c 

R = bisimIP’r PP’ x 

RR' : Bisimwoo { 00 } R R' 


a 
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RR' = bisimlnextr PP’ x 

Rhat : Process oo { lu } c l±l ChoiceSet c 
Rhat = bisimTraceTrPx (forcep (bisimIP’r PP’ x)) 
(forcep (PI P’ x)) 

(forceB (bisimlnextr PP’ x)) l tick tr 2 ’ 

tri : P — »+*[ [] ] (forcep R) 
trx = bisimltrr PP’ x 

tr 2 : TrP l Rhat (forcep R) 
tr 2 = bisimTraceTrP 2 (forcep R) 

(forcep (PI P’ x)) 

(forceB (bisimlnextr PP’ x)) l tick tr 2 ’ 

tr : TrP+ l Rhat P 

tr = trPAppendTrw+ c P 

(forcep R) [] l Rhat tr 3 tr 2 

bisimTraceTrP 2 + {lu}{c} P P’ PP ’ .[] 

. (inj 2 (PT P’ x)) (terc x) = tri 
where 

tr x : TrP+ [] (inj 2 (PT P’ x)) P 
tri = bisimTtrr PP’ x 


The next step towards our goal is to prove that the process R and process 
R' are bisimilar. We carry out this proof in Agda as follows: 

bisimTraceTrPoo 3 : {lu : LUniv}{c : Choice}(P P ’: Processoo oo c) 

(PP ’: Bisimwoo {oo} P P’)(l : List (Label lu)) 

(tick : Process oo {lu} c l±l ChoiceSet c) 

(tr : TrPoo l tick P’) 

—y BisimForNextP (bisimTraceTrPooi P P’ PP’ l tick tr) tick 
bisimTraceTrPoo 3 P P’ PP’ l x tr = bisimTraceTrP 3 (forcep P) 

(forcep P’) 

(forceB PP’) 
l x tr 


bisimTraceTrP 3 : {lu : LUniv}{c : Choice} 


o 


-o 
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(P P’ : Process oo { lu } c) 

(PP’ : Bisimw { 00 } P P’) 

( l : List (Label lu)) 

( tick : Process 00 {lu} c l±) ChoiceSet c) 

( tr : TrP l tick P’) 

—y BisimForNextP 

(bisimTraceTrP! P P’ PP’ l tick tr) tick 
bisimTraceTrP 3 .(terminate x) (terminate x) 

(eqterminate {.2;} termeqterm) 

.[] . ( inj 2 x) (ter .x) = refl 
bisimTraceTrP 3 P (terminate x) 

(eqterminater termequivP) .[] .( inj 2 x) 

(ter .x) = termequivPToTick 3 x P termequivP 
bisimTraceTrP 3 .(terminate x) (terminate 2;) 

(eqterminate {.2;} termeqterm) .[] 

.(inj 1 (terminate 2 :)) 

(empty . 2 ;) = eqterminate termeqterm 
bisimTraceTrP 3 P (terminate x) 

(eqterminater termequivP) .[] 

.(inji (terminate x)) (empty . 2 ;) = 
termequivPToTick 3 ’ x P termequivP 
bisimTraceTrP 3 {lu}{c} .(terminate a) (node P’) 

(eqterminate {a} (termeqnode terequivP)) 
l (injx Q) (tnode tr) = eqterminate 
(termEquivPreservedByTrace+ 
c l P’ Q a terequivP tr) 

bisimTraceTrP 3 .(terminate a) (node P’) 

(eqterminate {a} (termeqnode terequivP)) 
l (inj2 y) (tnode tr) = 
termEquivPr+ c l y P’ a terequivP tr 
bisimTraceTrP 3 .(node P) (node P’) 

(eqnode {P} PP’) l tick 
(tnode tr) = 

bisimTraceTrP 3 + P P’ PP’ l tick tr 


bisimTraceTrP 3 + : {lu : LUniv}{c : Choice} 

(P P’ : Process+ 00 c) 

(PP’ : Bisimw+ { 00 } P P’) 

(l : List (Label lu)) 

(tick : Process 00 {lu} c l±) ChoiceSet c) 


a 
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(tr : TrP+ l tick P’) 

-» BisimForNextP 

(bisimTraceTrPx + P P’ PP’ l tick tr) tick 
bisimTraceTrP 3 + P P’ PP’ .[] .(injx (node P’)) 
empty = eqnode PP’ 
bisimTraceTrP 3 + P P’ PP’ 

.(Lab P’ x :: 1 ) (injx Xi) 

(extc l .(injx ay) x X2) = 
bisimTraceTrP 3 (forcep 
(bisimETraceTrPx+auxmodule.R P’ l x 
(injx £1) P PP’ X2)) (forcep (PE P’ x)) 

(forceB (bisimETraceTrPx+auxmodule.RR' 

P’ l x (injx xi) P PP ’ X2)) l 
(injx an) x 2 

bisimTraceTrP 3 + {/n}{c} P P’ PP’ -(Lab P’ x :: l ) (inj 2 y) 

(extc l .( inj2 y) x xi) = 
bisimTraceTrP 3 

(forcep (bisimETraceTrPx+auxmodule.R P’ l x 
C inj2 y) P PP’ x 1)) (forcep (PE P’ x)) 

(forceB (bisimETraceTrPx+auxmodule.RR' 

P’ l x (inj 2 y) P PP’ xi)) l (inj 2 y) xi 
bisimTraceTrP 3 + {/n}{c} P P’ PP’ l (inji x) 

(intc .1 .(injx x) xi a^) = 
bisimTraceTrP 3 

(forcep (bisimITraceTrPx+auxmodule.R l 
(injx x) P’ P PP’ x\ X2)) 

(forcep (PI P’ xi)) 

(forceB (bisimITraceTrPx+auxmodule.RR’ l 
(injx x) P’ P PP’ Xi X2)) l (injx x) X2 
bisimTraceTrP 3 + P P’ PP’ l (inj 2 y) (intc . 1 .( inj 2 y) x Xi) = 

bisimTraceTrP 3 

(forcep (bisimITraceTrPx+auxmodule.R l (inj 2 y) P’ 

P PP’ X Xx)) 

(forcep (PI P’ x)) 

(forceB (bisimITraceTrPx+auxmodule.RR' l (inj 2 y) 

P’ P PP’ x xi)) l (inj 2 y) xi 

bisimTraceTrP 3 + {lu}{c} P P’ PP ’ .[] . ( inj 2 (PT P’ x)) (terc x) = refl 

By R rv_/ R' A stable(i? / ) we get R is non-divergent process. The proof in 
Agda as follows: 


o- 


o 
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mutual 

bisimStablelmpliesNotDivergentoo : {lu : LUniv}(c : Choice) 

(P P’ : Processoo oo {lu} c) 

(PP’ : Bisimwoo P P ’) 

(PS’ : stableoo P’) 

(nonDivP’ : NonDivergentoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentoo c P P’ PP’ PS’ nonDivP’) 

= bisimStablelmpliesNotDivergent c (forcep P) 

(forcep P’) 

(forceB PP’) 

PS’ (forceND nonDivP’) 

bisimStablelmpliesNotDivergent : {lu : LUniv}(c : Choice) 

( P P’ : Process oo {lu} c) 

(PP’: Bisimw P P ’) 

(PS’ : stable P’) 

(nonDivP’ : NonDivergent P’) 

—> NonDivergent P 

bisimStablelmpliesNotDivergent c (terminate x) P’ PP’ PS’ nonDivP’ = tt 
bisimStablelmpliesNotDivergent c (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 
PS’ nonDivP’ = 

TerlmpliesNotDivergentaux c (node P) 
a ((termeqnode terequivP)) 

bisimStablelmpliesNotDivergent c (node P) (node P’) (eqnode PP’) PS’ 
nonDivP ’ = bisimStablelmpliesNotDivergent+ 

c p P’ PP’ PS’ nonDivP’ 


bisimStablelmpliesNotDivergent+ : {lu : LUniv}(c : Choice) 

(P P ’: Process+ oo {lu} c) 

(PP’ : Bisimw+ P P’) 

(PS’: stable+ P’) 

(nonDivP’: NonDivergent+ P’) 

—> NonDivergent+ P 

bisimStablelmpliesNotDivergent+ c P P’ PP’ PS’ nonDivP’ 

= nondiv+r PP’ nonDivP’ 

Therefore there exists R such that R => R A stable (it). In Agda we split 


a 
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this in three parts: we define R, then a trace from R to R, and finally a proof 
that R is Schneider stable. That we obtain Schneider stability will be enough: 
When using this lemma in order to prove the Main Lemma 2 . 4.6 later, we will 
get that the Schneider stable process we obtain is DRW-bisimilar to a process 
which is Roscoe stable. We will then show that if a Schneider stable process is 
DRW-bisimilar to a Roscoe stable process, then it is actually Roscoe stable. 
So the process in question will in fact already be as well Roscoe stable. 

The proof of the above statement in Agda is as follows: 

mutual 

nonDivBecomeStableooi : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) 

(nonDivP : NonDivergentoo P) 

—>■ Process oo {lu} c 

nonDivBecomeStableooi c P nonDivP = nonDivBecomeStablei 

c (forcep P) (forceND nonDivP) 

nonDivBecomeStableoo 2 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) 

(nonDivP : NonDivergentoo P) 

—» TrPoo {lu} [](inji 

(nonDivBecomeStableooi c P nonDivP)) P 

nonDivBecomeStableoo 2 c P nonDivP — nonDivBecomeStable 2 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo3 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) 

(■nonDivP : NonDivergentoo P) 

—>■ stableSch (nonDivBecomeStableooi 
c P nonDivP ) 

nonDivBecomeStableoo3 c P nonDivP = nonDivBecomeStable 3 

c (forcep P) (forceND nonDivP) 

nonDivBecomeStable+i : {lu : LUniv}(c : Choice) 

(P : Process- 1 - oo {lu} c) 

(nonDivP : Non Divergent-)- P) 

—> Process oo {lu} c 

nonDivBecomeStable+i c P (nondiv x (inji int)) = 

nonDivBecomeStableooi 
c (PI P int) (x int) 

nonDivBecomeStable+i c P (nondiv x (inj 2 stab)) = node P 


o 


-o 
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nonDivBecomeStable+2 


->• 

nonDivBecomeStable+2 


nonDivBecomeStable+2 


: {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

(nonDivP : NonDivergent+ P) 

TrP+ {lu} [] (injx 

(nonDivBecomeStable+i c P nonDivP )) P 
c P (nondiv x (injx int )) = intc [] (injx 
(nonDivBecomeStable+x c P 
(nondiv x (injx int)))) int 
(nonDivBecomeStableoo2 c 
(PI P int) (x int)) 
c P (nondiv x (inj 2 stab)) = empty 


nonDivBecomeStable+3 : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

(nonDivP : NonDivergent+ P) 

—» stableSch 

(nonDivBecomeStable+x c P nonDivP) 
nonDivBecomeStable+3 c P (nondiv x (injx int)) — 

nonDivBecomeStableoo3 c 
(PI P int) (x int) 

nonDivBecomeStable+3 c P (nondiv x (inj 2 stab)) = stab 


nonDivBecomeStablex 


nonDivBecomeStablex 

nonDivBecomeStablex 


: {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(nonDivP : Non Divergent P) 

Process oo {lu} c 

c (terminate x) nonDivP = terminate x 
c (node x) nonDivP = 

nonDivBecomeStable+x c x nonDivP 


nonDivBecomeStable 2 


nonDivBecomeStable 2 

nonDivBecomeStable 2 


: {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(nonDivP : Non Divergent P) 

TrP {lu} [] (injx 

(nonDivBecomeStablex c P nonDivP)) P 
c (terminate x) nonDivP = empty x 
c (node x) nonDivP 

= tnode (nonDivBecomeStable+2 c x nonDivP) 


O- 
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nonDivBecomeStable 3 : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c ) 

(nonDivP : Non Divergent P ) 

—> stableSch (nonDivBecomeStablei c P nonDivP ) 

nonDivBecomeStable 3 c (terminate x) nonDivP = _ 
nonDivBecomeStable 3 c (node x) nonDivP = nonDivBecomeStable + 3 c 

x nonDivP 


By R ~ R! there exists R! such that R' =>■ R! such that R ~ R'. 
By stabl e(R') we get R' = R', therefore we get R ~ R'. 

In the following we carry out the proof in Agda: 


mutual 

bisimPPWithEmptyTroo : {lu : LUniv}{c : Choice} 

( P P’ : Processoo oo {lu} c ) 

(PP’ : Bisimwoo P P’) (PS’: stableoo P’) 

(nonDivP : NonDivergentoo P) 

(tr : TrPoo {lu} [] 

(inji (nonDivBecomeStableooi c P nonDivP )) P) 

—>• Bisimw (nonDivBecomeStableooi c P nonDivP ) 

(forcep P’) 

bisimPPWithEmptyTroo P P’ PP’ PS’ nonDivP tr = 

bisimPPWithEmptyTr (forcep P) (forcep P’) 

(forceB PP’) PS’ (forceND nonDivP) tr 


bisimPPWithEmptyTr : {lu : LUniv}{c : Choice} 

(P P’: Process oo {lu} c) 

(PP’ : Bisimw P P’) (PS’ : stable P’) 
(nonDivP : NonDivergent P) 

(tr : TrP {lu} [] (inji 

(nonDivBecomeStable! {lu} c P nonDivP)) P) 
—> Bisimw (nonDivBecomeStablex {lu} c P nonDivP) P’ 
bisimPPWithEmptyTr {lu} {c} .(terminate x) (terminate x\) 

PP’ PS’ nonDivP (empty x) = PP’ 
bisimPPWithEmptyTr (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv nondivPI (injx a;)) (tnode tr) = 
nonDivBecomesStableBisimProofoo (PI P x) 


o 


-o 
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(nondivPI x) a (onlylntChoice terequivP x) 
bisimPPWithEmptyTr (node P) (terminate x) 

(eqterminater (termeqnode terequivP )) 

PS’ (nondiv x\ (inj 2 y )) (tnode tr ) = 
eqterminater (termeqnode terequivP) 
bisimPPWithEmptyTr (terminate P) (node P’) PP’ PS’ nonDivP tr = 

PP’ 

bisimPPWithEmptyTr (node P) (node P’) (eqnode bisimPP’) PS’ 

(nondiv x chemptyomot ) (tnode tr) = 
bisimPPWithEmptyTr+ P P’ bisimPP’ 

PS’ (nondiv x chemptyomot) tr 


bisimPPWithEmptyTr+ : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c) 

( PP ’: Bisimw+ P P’) ( PS’ : stable+ P’) 

( nonDivP : NonDivergent+ P) 

(tr : TrP+ {lu} [] (inji 
(nonDivBecomeStable+i c P nonDivP)) P) 
—> Bisimw (nonDivBecomeStable+i c P nonDivP) 
(node P’) 

bisimPPWithEmptyTr+ {lu}{c} P P’ PP’ PS’ 

(nondiv nondiv’ (inji Xx)) tr — PP’” 

where 

P’~ : Processoo oo {lu} c 
P’~ = bisimlP’ PP’ xi 


trP'P’~ : P’^+*[ [] ] (forcep (P’~)) 
trP’P’~ = bisimltr PP’ x i 


P’=P’~ : node P’ = forcep P'~ {00} 

P'=P’~ = emptyTrPtoQlmpliesEq+ P’ 

(forcep P’~) PS’ trP'P'~ 

P’~=P’ : forcep P’~ {00} = node P’ 

P'~=P' rewrite P'=P'~ = refl 


a 


P'~stable : stable (forcep P'~) 
P’~stable rewrite P’~=P' = PS’ 


o 
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PP” : Bisimw (nonDivBecomeStable! c 

(forcep (PI P x i)) (forceND (nondiv’ Xi)) ) 
(forcep P’~) 

PP” = bisimPPWithEmptyTr (forcep (PI P x\)) 

(forcep P’~ {oo}) 

(forceB (bisimlnext PP’ x\)) 

P’~stable (forceND (nondiv’ Xi)) 
(nonDivBecomeStable 2 c 
(forcep (PI P x i)) (forceND (nondiv’ x i))) 

PP”' : Bisimw (nonDivBecomeStableooi c 

(PI P x i) (nondiv’ Xi)) (node P’) 

PP’” rewrite P'=P'~ = PP” 

bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y )) empty = eqnode PP’ 
bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y )) 

(into .[] .( inji 

(node P)) x\ a; 2 ) = eqnode PP’ 


10.9 Proof of Lemma 2.4.6, Part 2 (Obtain¬ 
ing Roscoe Stability) 

In the previous Section 10.8 we proved that the resulting process was Schnei¬ 
der stable rather than Roscoe stable. This is sufficient for the proofs in the 
following. However, we will show that in fact Roscoe stability is obtained. 
The reason is that the process we obtained was Schneider stable and DRW- 
bisimilar to a Roscoe stable process. These two conditions imply that the 
process is actually Roscoe stable. 

First we show that if two processes are DRW-bisimilar, and one is Roscoe- 
stable and the other one is Schneider stable, then the Schneider one is actually 
Roscoe stable: 

stabSchBisim 2 stabRosclsStabRosc : {lu : LUniv}{c : Choice} 


o 


-o 
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(P P’ : Process oo { lu } c) 

(PP’ : Bisimw P P’) 

(stabP’: stable P’) 

(stabSchP : stableSch P) 

—)■ stable P 

stabSchBisim 2 stabRosclsStabRosc 
(terminate x) (terminate x{) 

(eqterminate terequiv ) stabP’ stabSchP = stabP’ 
stabSchBisim 2 stabRosclsStabRosc 
(terminate x ) (node P’) 

(eqterminate (termeqnode terequivP ’)) 

( P’stabSch ,, notickP’) stabSchP _ 

= tauOrTickNoTauP'ImpliesConclusion tauOrTickNoTauP' where 

tauOrTickNoTauP' : ChoiceSet (I P’) l±) (-> (ChoiceSet (I P’)) 

x ChoiceSet (T P’)) 

tauOrTickNoTauP’ = hasTauOrTickNoTau terequivP’ 

tauOrTickNoTauP’ImpliesConclusion : ChoiceSet (I P’) 

l±) (-1 (ChoiceSet (I P’)) 

x ChoiceSet (T P’)) —> _L 

tauOrTickNoTauP’ImpliesConclusion (inji tauChoiceP’) 

= P’stabSch tauChoiceP’ 

tauOrTickNoTauP'ImpliesConclusion (inj 2 (_ ,, tickChoiceP’)) 

= notickP’ tickChoiceP 1 


stabSchBisim 2 stabRosclsStabRosc 
(terminate x) .(terminate _) (eqterminater terequiv ) 
stabP’ stabSchP 
= stabP’ 

stabSchBisim 2 stabRosclsStabRosc 
(node P) (terminate x ) PP’ stabP’ stabSchP 
= _L-elim (stabP’ _) 
stabSchBisim 2 stabRosclsStabRosc 
(node P) (node P’) (eqnode bisimQQ ’) (stabSchP ’ ,, noTickP’) 
stabSchP 

= stabSchP ,, noTickP 
where 

traceToTickP : (t : ChoiceSet (T P)) —> TrP+ [] (inj 2 (PT P t )) P’ 
traceToTickP = bisimTtr bisimQQ’ 


a 
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noTickP : -> (ChoiceSet (T P)) 

noTickP t = schStabl\loTraceTolnj 2 + P’ stabSchP’ (PT P t) 

(traceToTickP t) noTickP’ 

Now we show Lemma 2.4.6 in full: If we have two processes P, P', which 
are DRW-bisimilar, and P' has a trace to Q' which is stable, then we find a 
process called Q := bisimTraceTrPooQhat, a trace bisimTraceTrPootrhat 2 from 
P to Q , such that Q and Q' are bisimilar (proof bisimTraceTrPooQhatQ'), 
and Q is stable (proof bisimTraceTrPoostabQhat): 

Theorem 10.9.1 (Agda Theorem corresponding to Lemma 2.4.6) 
module _ {lu : LUniv}{c : Choice} 

(P P’ : Processoo oo c) 

(PP’: Bisimwoo {oo} P P’)(l : List (Label lu)) 

(Q’: Process oo {lu} c) 

(tr’ : TrPoo l (inp Q’) P’) 

(stab’ : stable Q’) where 

bisimTraceTrPooQhat : Process oo {lu} c 

bisimTraceTrPooQhatQ' : Bisimw bisimTraceTrPooQhat Q’ 

bisimTraceTrPoostabQhat : stable bisimTraceTrPooQhat 

bisimTraceTrPootrhat 2 : TrPoo {lu} l (mp bisimTraceTrPooQhat) P 


Proof: 

module _ {lu : LUniv}{c : Choice}(P P’: Processoo oo c) 

(PP ’: Bisimwoo {oo} P P’)(l : List (Label lu)) 
(Q ’: Process oo {lu} c) 

(tr’ : TrPoo / (inji Q’) P’) 

(stab’: stable Q’) where 

bisimTraceTrPooQcom : Process oo cW ChoiceSet c 
bisimTraceTrPooQcom = bisimTraceTrPooi P P’ PP’ l ( inji Q’) tr’ 


bisimTraceTrPootrcom : TrPoo {lu} l (bisimTraceTrPooi P P’ PP’ l 


o- 


-o 
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(inji Q’) tr’) P 

bisimTraceTrPcx)trcom = bisimTraceTrPoo 2 P P’ PP’ l (inh Q’) tr’ 


bisimTraceTrPooQQ’com : BisimForNextP (bisimTraceTrPooi P P’ PP’ l 

(inji Q’) tr’) (inji Q’) 

bisimTraceTrPooQQ’com = bisimTraceTrPoo 3 P P’ PP’ l (inji Q’) t r> 


bisimTraceTrPooQ : Process oo { lu} c 

bisimTraceTrPooQ = lemmayyyi’ bisimTraceTrPooQcom Q’ stab’ 

bisimTraceTrPooQQ’com 


bisimTraceTrPootr : TrPoo {lu} l (inji bisimTraceTrPooQ) P 
bisimTraceTrPootr = lemmayyy 2 ’ (bisimTraceTrPooQcom) l (forcep P) 

Q’ stab’ bisimTraceTrPooQQ’com 
bisimTraceTrPootrcom 


bisimTraceTrPooQQ’ : Bisimw bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ’ = lemmayyy 3 ’ 

bisimTraceTrPooQcom Q’ stab’ 
bisimTraceTrPooQQ'com 


bisimTraceTrPooQhat : Process oo {lu} c 

bisimTraceTrPooQhat = nonDivBecomeStable! c bisimTraceTrPooQ 

( bisimStablelmpiiesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


bisimTraceTrPootrhat : TrP {lu} [] (inji bisimTraceTrPooQhat) 

bisimTraceTrPooQ 

bisimTraceTrPootrhat = nonDivBecomeStable 2 c 

bisimTraceTrPooQ 

( bisimStablelmpliesNotDivergent c 
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bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ' stab’ 
(stablelmpliesNonDiv Q’ stab 1 )) 


bisimTraceTrPooQhatQ’ : Bisimw bisimTraceTrPooQhat Q’ 
bisimTraceTrPooQhatQ’ = bisimPPWithEmptyTr bisimTraceTrPcx)Q Q’ 

bisimTraceTrPooQQ' stab’ 

( bisimStablelmpliesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 
bisimTraceTrPootrhat 


bisimTraceTrPoostabSchQhat : stableSch bisimTraceTrPooQhat 
bisimTraceTrPoostabSchQhat = nonDivBecomeStable 3 c bisimTraceTrPooQ 

( bisimStablelmpliesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


bisimTraceTrPoostabQhat : stable bisimTraceTrPooQhat 
bisimTraceTrPoostabQhat = stabSchBisim 2 stabRosclsStabRosc 

bisimTraceTrPooQhat 

Q’ bisimTraceTrPooQhatQ’ stab’ 

bisimTraceTrPoostabSchQhat 

bisimTraceTrPootrhati TrPoo { lu } (l -H- []) 

(injj bisimTraceTrPooQhat) P 

bisimTraceTrPootrhat! = trPAppendTrwoo c P bisimTraceTrPooQ l [] 

(inji bisimTraceTrPooQhat) 
bisimTraceTrPootr bisimTraceTrPootrhat 


bisimTraceTrPootrhat TrPoo {lu} l (inji bisimTraceTrPooQhat) P 
bisimTraceTrPootrhat 2 = subst (A l’ —> TrPoo {lu} V 


o- 


-o 
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(inji bisimTraceTrPooQhat) 

p) 

eql bisimTraceTrPootrhat! where 

eql : (Z -H- [] ) = Z 
eql = lemEqList l 

We show that if we drop the condition that Q' is stable, then we find a 
process Q which is reachable by the same trace and DRW-bisimilar to Q: 

Theorem 10.9.2 (Agda Theorem) 
module {lu : LUniv}{c : Choice} 

(P P’ : Processoo oo c) 

(PP’: Bisimwoo {oo} P P’) 

(l: List (Label lu)) 

(Q’: Process oo {lu } c) 

( tr ’ : TrPoo l (inji Q’) P’) where 

bisimTraceTrPooQcom : Process oo c W ChoiceSet c 
bisimTraceTrPootrcom : TrPoo {lu} l (bisimTraceTrPooi P P’ PP’ l 

(inji Q’) tr’) P 

bisimTraceTrPooQQ'com : BisimForNextP (bisimTraceTrPooi P P’ PP’l 

(inji Q’) tr’) (inji Q ’) 


Proof: 

bisimTraceTrPooQcom = bisimTraceTrPooi P P’ PP ’ l (inji Q’) tr’ 
bisimTraceTrPootrcom = bisimTraceTrPoo2 P P’ PP’ l (inji Q’) tr’ 
bisimTraceTrPooQQ’com = bisimTraceTrPoo 3 P P’ PP’ l (inji Q’) tr’ 


10.10 Bisimilarity Implies Stable Failures Equiv¬ 
alence 

One of the main tools for proving equivalence with respect to stable failures 
semantics is to a proof that strong and DRW bisimilarity implies stable fail¬ 
ures equivalence. The reason is that it is usually much easier to prove strong 
or DRW bisimilarity than to prove directly stable failures equivalence. Prov¬ 
ing stable failures equivalence is difficult since one needs to derive correspond¬ 
ing lemma for any future processes, which might be of different shape than 


a 
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the original law. When proving DRW-bisimilarity, these auxiliary lemma 
occur much more naturally, and are much easier to deal with. 

In this section we show that DRW and strong bisimilarity imply stable 
failures equivalence. We first show that DRW bisimilarity implies stable 
failures refinement. Using symmetry of bisimilarity we obtain as well stable 
failures equivalence, and using the fact that strong bisimilarity implies DRW 
bisimilarity, we obtain those laws for strong bisimilarity as well. 

In order to prove that weak bisimilarity implies stable failure refinement 
we first prove refinement with respect to Usfi. For this we assume we have 
a trace leading to a stable failure for P' and get a proof for P. We use 
here where clauses to build up the proof in stages by reflecting each step for 
P' by a corresponding step for P and maintaining bisimilarity between the 
corresponding processes. The full proof is as follows: 

bisimwImpliesCsfi : {lu : LUniv}{c : Choice} ( P : Process oo { lu } c) 

(P’ : Process oo {lu} c) 

(PP’ : Bisimw {oo} P P’) 

->• P Usf, P’ 

bisimwImpliesITsfi { lu}{c } P P’ PP’ l X 
(stableFp Q’ tr’ stab’ drefuse ’) 

= (stableFp Qhat trhat 2 

( stabSchNoTicklfRos 2 StablePar Qhat 
true stabSchQhat stabNoTick ) 
drefuse hat) 
where 

Qcom : Process oo {lu} c l±l ChoiceSet c 
Qcom = bisimTraceTrPi P P’ PP’ l (inji Q ’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPi P P’ PP’ l 
(inji Q’) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) tr’ 

QQ'com : BisimForNextP (bisimTraceTrPi P P’ PP’ l 
(inji Q’) tr’) (inji Q’) 

QQ'com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) tr’ 

Q : Process oo {lu} c 

Q = lemmayyyi Qcom Q’ stab’ X drefuse’ QQ’com 


o 


tr : TrP {lu} l (inji Q) P 

tr = lemmayyy 2 Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 


-o 
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QQ' : Bisimw Q Q’ 

QQ' = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process oo { lu } c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ’ = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ’ stab ’ stabSchQhat 

trhat 3 : TrP {lu} (l +\- []) (injx Qhat) P 

trhat 3 = trPAppendTrw c P Q l [] (inji Qhat) tr trhat 

eql : (/ -H- [] ) = l 

eql = lemEqList l 

trhat 2 : TrP {lu} l (inji Qhat) P 

trhat 2 = subst (X l’ —y TrP {lu} V (inji Qhat) P) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) X true drefuse’ 


a 


There are similar proofs for and Processoo. 
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Now we combine the proofs that DRW bisimilarity implies trace refine¬ 
ment with the proof above to get a proof that DRW bisimilarity implies 
stable failures refinement: 

bisimwlmplieslZsf 1 -|- : {lu : LUniv}{c : Choice} (P : Process- 1 - oo { lu } c) 

(P’ : Process-)- oo {lu} c ) 

(PP’ : Bisimw-P {00} P P’) 

-P P Csfi+ P’ 

Next we show that we obtain the refinement statement with P and P' 
interchanged. Here we use the proof that weak bisimilarity is symmetric: 

bisimwlmplieslZsfir-P : {lu : LUniv}{c : Choice} (P : Process-P 00 {lu} c) 

(P’ : Process-P 00 {lu} c ) 

(PP’: Bisimw-P { 00 } P P’) 

-p P’ Csfi-P P 

bisimwImpliesCsfxr-P P P’ PP’ = 
bisimwImpliesCsfx-P P’ P 

(BismwSym-p P P’ PP’) 

Now we combine the two proofs to a proof of stale failure equivalence: 

Theorem 10.10.1 (Agda Theorem) 
bisimwlmplies=sf : {lu : LUniv}{c : Choice} 

(P : Process 00 {lu} c ) 

(P’ : Process 00 {lu} c) 

(PP’ : Bisimw { 00 } P P’) 

-p P =sf P’ 


Proof: 

bisimwlmplies=sf P P’ PP’ 

= bisimwImpliesCsf P P’ PP ’ ,, 
bisimwImpliesCsfr P P’ PP’ 

Finally we show as well that stable failure equivalence is as well implied 
by strong bisimilarity, using the fact that strong bisimilarity implies DRW- 
bisimilarity: 

Theorem 10 . 10.2 (Agda Theorem) 
bisimslmplies=sf : {lu : LUniv}{c : Choice} 


o 
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(P : Process oo { lu } c) 

( P ’: Process oo {lu} c ) 
(PP ; : Bisims { 00 } P P’) 
-> P =sf P’ 


Proof: 

bisimslmplies=sf P P ; PP’ = 
bisimwlmplies=sf P P’ (bisimsToBismw P P ; PP’) 


10.11 Bisimilarity Implies Failures Divergences 
Infinite Equivalence 

As mentioned in Sect. 9, stable failures semantics doesn’t deal well with di¬ 
vergent processes. Therefore the failures-divergences-infinite traces model 
was developed. When proving laws in this model, we face the same prob¬ 
lems as for stable failures semantics, that the proofs are very evolved. As 
for stable failures semantics, the solution is to prove instead that strong and 
DRW-bisimilarity imply stable failures semantics, and prove the laws using 
bisimilarity. Therefore, in this section we show that DRW-bisimilarity and 
therefore as well strong bisimilarity imply equivalence with respect to Fail¬ 
ures/ Divergences/ Infinite Traces in Agda. 

FDI-rehnement consists of four components: refinement with respect to 
trace semantics, failures, divergences, and with respect to infinite traces, and 
we will prove that DRW-bisimilarity implies each of these four refinements. 

The first step towards this proof is that DRW-bisimilarity implies trace 
semantic, which was already defined in section 10.7.2. 

The second step is to show that if P, P' are DRW-bisimilar, the failures for 
the process P imply the failures of the process P'. Note that we have in case 
of the FDI semantics two kind of failures: stable failures, and divergences, in 
which case a process can refuse everything because it is involved in performing 
infinitely many r-transitions. 

10.11.1 DRW-Bisimilarity Implies Refinement with re¬ 
spect to Failures 

A proof that DRW-bisimilarity implies refinement with respect to failures is 
given in Agda as follows: 


a 
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bisimRefusalros : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 

( P ’: Process oo {lu} c) 

(PP’: Bisimw {00} P P’) ( l : List (Label lu)) 

(X : Label lu —> Bool) 

(fail: failure P’ l true X) 

— y failure P l true X 
bisimRefusalros { lu}{c } P P’ PP’ l X 
(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos2StablePar Qhat true stabSchQhat 
stabNoTick ) 
drefusehat)) 

where 

Qcom : Process 00 {lu} c l±J ChoiceSet c 
Qcom = bisimTraceTrPi P P’ PP’ l (inji Q’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPi P P’ PP’ l 
(inji Q’) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) tr’ 

QQ'com : BisimForNextP (bisimTraceTrPi P P’ PP’ l 
(inji Q’) tr’) (inji Q’) 

QQ'com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) tr’ 

Q : Process 00 {lu} c 

Q = lemmayyyi Qcom Q’ stab’ X drefuse’ QQ’com 
tr : TrP {lu} l (inji Q) P 

tr = lemmayyy 2 Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ’com 

Qhat : Process 00 {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


o 


trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 
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(bisimStablelmpliesNotDivergent c Q Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ’ = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 
stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ' stab’ stabSchQhat 

trhati : TrP {lu} ( l -H- []) (inji Qhat) P 

trhat! = trPAppendTrw c P Q l [] (inji Qhat) tr trhat 

eql : (/ -H- [] ) = l 

eql = lemEqList l 

trhat 2 : TrP {lu} l (inji Qhat) P 

trhat 2 = subst (X l’ —> TrP {lu} V (inj x Qhat) P) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A' true drefuse’ 

bisimRefusalros {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp)) 

where 

Qcom : Process oo {lu} c l±) ChoiceSet c 
Qcom = bisimTraceTrPx P P’ PP’ l (inji Q ’) trp’ 

trcom : TrP {lu} l (bisimTraceTrPi P P’ PP’ l (inji Q’) trp’) P 
trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) trp’ 

QQ’com : BisimForNextP 

(bisimTraceTrPi P P’ PP’ l (inji Q’) trp’) (inji Q’) 
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QQ'com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) trp’ 

Q : Process oo {lu} c 

Q = lemmaxxx! Qcom Q’ divq’ QQ’com 

tr : TrP {lu} l (inji Q) P 

tr = lemmaxxx 2 Qcom l P Q’ divq’ QQ’com trcom 

QQ’ : Bisimw Q Q’ 

QQ’ = lemmaxxx 3 Qcom l Q’ divq’ QQ'com 

Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ’ 

divp : DivergentProcess oo {lu} c Q 

divp = bisimlmpliesDivergentPreserv c Q’ Q Q’Q divq’ 

This implies refinement with respect to failures: 

bisimlmFDh : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(P’ : Process oo {lu} c ) 

(PP’ : Bisimw {00} P P’) 

—> P Cfdi 2 ros P’ 

bisimlmFDI 2 {lu}{c} P P’ PP’ = bisimRefusalros P P’ PP’ 

bisimlmFDI 2 r : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) 

(P’ : Process 00 {lu} c ) 

(PP’ : Bisimw {00} P P’) 

—y P’ Cfdi 2 ros P 

bisimlmFDI 2 r {^}{c} P P’ PP’ = bisimlmFDI 2 P’ P (BismwSym P P’ PP’) 


10.11.2 DRW-Bisimilarity Implies Refinement with re¬ 
spect to Divergences 

We show that, if two processes P and P' are bisimilar, and P is a divergent 
process, then P' is divergent. This is proved in Agda as follows (we give only 
the proof for Process): 

bisimlmpliesDivergentPreserv : {lu : LUniv}(c : Choice) 


o 
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(P P’ : Process oo { lu} c) 

(PP’ : Bisimw {00} P P’) 

( divP : DivergentProcess 00 {lu} c P) 

—> DivergentProcess 00 {lu} c P’ 
bisimlmpliesDivergentPreserv c .(terminate _) P’ (eqterminate x ) () 
bisimlmpliesDivergentPreserv c .(node P) .(terminate a) (eqterminater {a} 
{.(node P)} (termeqnode terequivP )) (div P divP) 

= _L-elim (divergentlmpliesl\lotTermEquiv+ c P a terequivP divP) 
bisimlmpliesDivergentPreserv c .(node P) .(node P’) (eqnode {.P} {P’} PP’) 
(div P divP) 

= div P’ (bisimlmpliesDivergentPreserv+ c P P’ PP’ divP) 

Next we show that DRW bisimilarity implies that divergent traces are 
preserved: 

bisimlmTrD : {lu : LUniv} {c : Choice} (P : Process 00 {lu} c) 

(P’ : Process 00 {lu} c) 

(PP’: Bisimw {00} P P’) (l : List (Label lu)) 

( TrD : TraceDivergent 00 c l P’) 

—> TraceDivergent 00 c l P 

bisimlmTrD P P’ PP’ l (trdiv Q’ trp’ divp’) = trdiv Q tr divp 

where 

Qcom : Process 00 {lu} c l±l ChoiceSet c 
Qcom = bisimTraceTrPx P P’ PP’ l (injx Q’) trp’ 

trcom : TrP l (bisimTraceTrPi P P’ PP’ l 

(inji Q’) trp’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) trp’ 

QQ’com : BisimForNextP (bisimTraceTrPx P P’ PP’ l 

(inji Q’) trp’) (inji Q’) 

QQ'com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) trp’ 

Q : Process 00 {lu} c 
Q = lemmaxxx! Qcom Q’ divp’ QQ'com 

tr : TrP l (inji Q) P 

tr = lemmaxxx 2 Qcom l P Q’ divp’ QQ’com trcom 


O 


QQ’ : Bisimw Q Q’ 

QQ' = lemmaxxx 3 Qcom l Q’ divp’ QQ'com 


o 




214 10.11. Bisimilarity Implies Failures Divergences Infinite Equivalence 

o-o 


Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ' 

divp : DivergentProcess oo c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q’Q divp’ 


Therefore we get that DRW bisimilarity implies refinement with respect 
to divergences: 

bisimlmFDIx : {lu : LUniv}{c : Choice} (P P’ : Process+ oo { lu } c) 

(PP’ : Bisimw+ {00} P P’) 

->• P Cfdii+ P’ 

bisimlmFDIi { lu}{c } P P’ PP 7 = bisimlmTrD+ P P’ PP’ 

bisimlmFDCr : {lu : LUniv}{c : Choice} (P P’: Process- 1 - 00 {lu} c ) 

(PP’ : Bisimw-I- {00} P P’) 

P , Cfdix+ P 

bisimlmFDIxr { lu}{c } P P’ PP’ = bisimlmFDIx P’ P (BismwSym+ P P’ PP’) 


10.11.3 DRW-Bisimilarity Implies Refinement with re¬ 
spect to Infinite Traces 

We are going to show that if two processes are DRW-bisimilar, then any 
infinite trace of one is an infinite trace of the other. This is shown by reflecting 
each step of an infinite trace of one process by steps of the second process. 
Because of weak bisimulation, each step becomes a finite trace in the other 
process: a r-transition can become arbitrarily many (or none) r-transitions 
in the other, and an external choice becomes arbitrarily many r-transitions, 
an external choice with same label followed by arbitrarily many r-transitions. 

One complication we have is that the definition of an infinite trace is a 
combined inductive/coinductive definition: only finitely many r-transitions 
are allowed, but we have infinitely many external choices. Therefore the 
definition is inductive in the r-transitions and coinductive in the external 
choices. So in the proof we need to take care about when we have an explicit 
external choice of the first process , in which case the size of the second 
process needs to go down when we reach the external choice - it will not go 
down in any initial extra r-transitions. 
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The first step is to show that if we have an infinite trace starting with 
a process Q , and a finite trace without labels, leading up to it, we obtain 
an infinite trace extended by the new label. This is done in the following 
function addxTraceToI nfi n iteTrace: 

addxTraceToInfiniteTrace : {z : Size}{/zz : LUniv}{c : Choice} 

(P : Process oo { lu } c) 

(Q : Process oo {lu} c ) 

(l : Stream (Label lu)) 

{tr i : TrP [] (inj x Q) P ) 

( tr 2 : infTr {z} l Q) 

—> infTr {z} l P 

addxTraceToInfiniteTrace .(terminate x) .(terminate x) l (empty x) tr 2 = tr 2 
addxTraceToInfiniteTrace .(node P) Q l (tnode {.[]} {_} {P} tr\) tr 2 = 
tnode (addxTraceTolnfiniteTrace+ P Q l tr i tr 2 ) 

addxTraceTolnfiniteTrace+ : {z : Size}{/zz : LUniv}{c : Choice} 

( P : Process+ oo {lu} c) 

(Q : Process oo {lu} c) 

( l : Stream (Label lu)) 

{tr i : TrP + [] (inji Q) P) 

{tr 2 : infTr {z} l Q) 

—> infTr+ {z} l P 

addxTraceTolnfiniteTrace+ P .(node P) l empty (tnode tr) = tr 
addxTraceTolnfiniteTrace+ P Q l (intc .[] .(inji Q) x by) tr 2 = 
intc l x (addxTraceToInfiniteTrace (forcep (PI P x)) 

Q l tr\ tr 2 ) 

addxTraceToInfiniteTraceoo : {z : Size}{/zz : LUniv}{c : Choice} 

(P : Processoo oo {lu} c) 

( Q : Process oo {lu} c) 

( l : Stream (Label lu)) 

(tr i : TrPoo [] (inji Q) P) 

{tr 2 : infTr {z} l Q) 

— y infTroo {f z } l P 

forcetP (addxTraceToInfiniteTraceoo P Q l tr\ tr 2 ) = 
addxTraceToInfiniteTrace (forcep P) Q l tr\ tr 2 

Now we show that infinite traces of one process become infinite traces of 
the other one. We present here only the most interesting case for Process+: 


a 
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bisimlnfTr+ : {i : Size}{/u : LUniv}{c : Choice}(F P’ : Process+ oo {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

( l: Stream (Label lu)) 

( tr : infTr+ {z} l P’) 

—» infTr+ {1} l P 

bisimlnfTr+ {1} {lu} {c} P P’ PP’ l (extc .1 e eq tr) = 
bisimlnfTr+auxoo P Q Q’ l (Lab P’ e) eq tr 1 QQ’ tr 
where 

Q : Processoo 00 c 
Q = bisimEP’r PP’ e 

Q' : Processoo 00 c 
Q’ = PEP , e 


tri : TrP+ (Lab P’ e :: []) (inji (forcep Q)) P 
tri = bisimEtrr PP’ e 

eqlab : T’ (Lab P’ e ==l head T) 

eqlab = sym==l {lu} {head 1 } {Lab P’ e} eq 

tri' : TrP+ (head l :: []) (inji (forcep Q)) P 
tri’ = transfLu {lu} (X lab] —> TrP+ (labi :: []) (inji 
(forcep Q) ) P) eqlab tr x 

QQ' : Bisimwoo Q Q' 

QQ’ = bisimEnextr PP’ e 

This function was defined simultaneously with several auxiliary functions 
which deal with the first step made in a finite trace of the second process, 
where this finite trace is the reflection of a step of the inf inite trace of the first 
process. We need to deal with it in this way in order to pass the termination 
checker: 

bisimlnfTr+auxoo : {i : Siz e}{lu : LUniv}{c : Choice} 

(P : Process+ 00 {lu} c) 

(Q : Processoo 00 c) 

(Q ’ : Processoo 00 c) 

(l : Stream (Label lu)) 

(la : Label lu) 

( eqlab : T’ (head l ==l la)) 

(tri ■ TrP+ (la :: []) (inji (forcep Q)) P ) 
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( QQ’ : Bisimwoo Q Q’) 

( tr 2 : infTroo {z} (tail 1 ) Q’) 

—> infTr+ {z} l P 

bisimlnfTr+auxoo P Q Q’ l .(Lab P x) eqlab 

(extc .[] . ( inji (forcep Q )) x trQ 

QQ ’ tr 2 

= extc l x eqlab 

(addxTraceToInfiniteTraceoooo (PE P x) Q (tail l ) tri 
(bisimlnfTroo Q Q’ QQ’ (tail l) tr 2 )) 

bisimlnfTr+auxoo P Q Q’ l la eqlab 

(intc .(la :: []) .(inji (forcep Q)) x trQ QQ’ tr 2 = 
intc l x 

(bisimlnfTr+auxoop (forcep (PI P x)) Q Q’ l la eqlab tri 
QQ’ tr 2 ) 

bisinruInfTr+aux : {i : Size}{Zrz : LUniv}{c : Choice}(P : Process+ oo {lu} c ) 
(Q : Process oo c) 

(Q’: Process oo c) 

(tri : TrP + [] (inji Q) P ) 

(QQ’ : Bisimw Q Q’) 

(l : Stream (Label lu)) 

(tr 2 : infTr {z} l Q’) 

—> infTr+ {z} l P 

bisimxInfTr+aux P .(node P) .(node P’) 
empty (eqnode PP’) l (tnode {./} {P’} tr) = bisimlnfTr+ P P’ PP’ l tr 

bisimxInfTr+aux P Q Q’ (intc .[] .(inji Q) % Pi) QQ’ l t r 2 = 
intc l x (addxTraceToInfiniteTrace (forcep (PI P x)) Q l tri 
(bisimlnfTr Q Q’ QQ’ l tr 2 )) 


10.11.4 DRW-Bisimilarity Implies Refinement with re¬ 
spect to FDI 

We have now all components ready, to prove that DRW-bisimilarity im¬ 
plies Failures/Divergences/Infinite Traces equivalence. First we combine the 
above proofs to one proof that DRW bisimilarity implies FDI refinement and 
equivalence: 


a 
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bisimlmFdiRef : {lu : LUniv}{c : Choice} (P P’ : Process+ oo {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

P Cfdi+ P’ 

bisimlmFdiRef P P’ PP’ = ((bisimTraceEq+ P P’ PP ’ ,, 

bisimlmFDIi P P’ PP’) „ 
bisimlmFDI 2 + P P’ PP’) „ 
bisimlmFDI 3 + P P’ PP’ 


Theorem 10.11.1 (Agda Theorem) 
bisimlmFdiEquiv : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c) 
(PP’ : Bisimw+ {oo} P P’) 
->• P =fdi+ P’ 


Proof: 

bisimlmFdiEquiv P P’ PP’ = bisimlmFdiRef P P’ PP’ „ 

bisimlmFdiRef P’ P (BismwSym+ P P’ PP’) 


Using that strong bisimilarity implies DRW-bisimilarity, we obtain a proof 
that strong bisimilarity implies as well FDI refinement and equivalence: 


bisimsImFdiRef : {lu : LUniv}{c : Choice} (P P’: Process+ oo {lu} c) 
(PP’: Bisims+ {oo} P P’) 

-)• P Cfdi+ P’ 


bisimsImFdiRef P P’ PP ’ = bisimlmFdiRef P P’ (bisimsToBismw+ P P’ PP’) 

bisimsImFdiEquiv : {lu : LUniv}{c : Choice} (P P’ : Process+ oo {lu} c) 
(PP’: Bisims+ {oo} P P’) 

-)• P =fdi+ P’ 

bisimsImFdiEquiv P P’ PP’ = bisimlmFdiEquiv P P’ 

(bisimsToBismw+ P P’ PP’) 
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10.12 Proofs in Divergence-Respecting Weak 
Bisimilarity Semantics 

A number of techniques have been developed to prove algebraic laws for CSP 
in this thesis; the first one was a direct proof of algebraic laws using the traces 
model. Trace semantics is one of the most common models for determining 
safety properties. 

As we discussed in 7, trace semantics refers only to the observable traces. 
It does not distinguish between external and internal choice. In particular, 
it does not tell what a process can refuse to do. 

The stable failures model records the events that a process performs with 
a set of events a process fails to perform after a process stabilises. The stable 
failures model is not effective in analysing processes which can diverge, which 
means they have an infinite sequence of r-transitions. The stable failures 
model ignores any divergent behaviour. 

In the Failures/Divergences/Infinite Traces (FDI ) model of CSP, these 
behaviours are introduced alongside failures information. In this approach, 
we can identify a process P with the failures/divergences/inhnite traces that 
may be observed. 

As we noted before, proofs in the stable failures and FDI model are very 
difficult, since we have to prove all properties not only for the initial process, 
but as well for all subprocesses evolving from the initial processes. It is as well 
very tedious to prove all the different components (2 in case of stable failures, 
and 4 in case of FDI) of the semantic models. It is much easier to prove 
these laws with respect to DRW-bisimilarity, which implies equivalence with 
respect to the traces, the stable failures and the failures/divergences/infinite 
traces models. 

10.12.1 Proof of Commutativity of the External Choice 
Operator 

We prove commutativity of the external choice operator with respect to the 
three main semantic models, by showing that ( P □ Q ) and (Q □ P) are 
strongly bisimilar. The fact that we have strong bisimilarity in this case 
(which doesn’t hold for many algebraic laws) makes the proof easier, proofs 
of DRW-bisimilarity require much more work. As for proofs of trace equiv¬ 
alence, we need to apply the function fmap to one part of the equation, in 
order to adjust the return values of termination events. 

Theorem 10.12.1 (Agda Theorem) 

Cn-H- : { lu : LUniv}{co c\ : Choice} (P : Process-!- oo { lu } cq) 


a 
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(Q : Process-F oo { lu } c\ ) 

—> Bisims+ (P n~pp Q ) (fmap+ swaptt) (Q n~pp P)) 


Proof: 

bisim2E (Cn+p P Q ) (inji x) = inj 2 x 

bisim2E (Cn-H- P Q ) (inj 2 y) = inji y 

bisimELab (Cn-H- P Q ) (injx x ) = refl 

bisimELab (Cn-H- P Q) ( inj 2 y) = refl 

bisimENext (Cn-H- P Q) (inji x) = 

lemBisimFmapcx) inj 2 swaptt) (PE P x) 
bisimENext (Cn-H- P Q ) (inj 2 y) = 

lemBisimFmapcx) inji swaptt) (PE Q y) 
bisim2l (Cn-H- P Q ) (inji x) = inj 2 x 

bisim2l (Cn-H- P Q) (inj 2 y) = inji y 

bisimlNext (Cn-H- {lu} P Q ) (inji x) = 

Cnoo-H- {lu = lu} (PI P x) Q 
bisimlNext (Cn-H- {lu} P Q ) (inj 2 y) = 

Cn+cx)+ {lu= lu} P (PI Qy) 
bisim2T (Cn-H- P Q ) (inji x) = inj 2 x 

bisim2T (Cn-H- P Q) (inj 2 y) = inji y 

bisim2TEq (Cn-H- P Q) (inji x) = refl 

bisim2TEq (Cn-H- P Q) (inj 2 y) = refl 

bisim2Er (Cn-H- P Q) (inji x) = inj 2 x 

bisim2Er (Cn-H- P Q) (inj 2 y) = inji y 

bisimELabr (Cn-H- P Q ) (inji x) = refl 

bisimELabr (Cn-H- P Q) (inj 2 y) = refl 

bisimENextr (Cn-H- P Q) (inji x) = 

lemBisimFmapcx) inji swaptt) (PE Q x) 
bisimENextr (Cn-H- P Q ) (inj 2 y) = 

lemBisimFmapcx inj 2 swaptt) (PE P y) 
bisim2lr (Cn-H- P Q ) (inji x) — inj 2 x 

bisim2lr (Cn-H- P Q ) (inj 2 y) = inji y 

bisimlNextr (Cn-H- P Q ) (inji x) = 

Cn+oo+ P (PI Q x) 
bisimlNextr (Cn-H- P Q ) (inj 2 y) = 

Cnoo-H- (PI P y) Q 

bisim2Tr (Cn-H- P Q ) (inji x) = inj 2 x 

bisim2Tr (Cn+f P Q) (inj 2 y) = inji y 

bisim2TEqr (Cn-H- P Q) (inji x) = refl 

bisim2TEqr (Cn-H- P Q ) (inj 2 y) = refl 
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Now we can use the fact that strong bisimilarity implies DRW-weak bisim¬ 
ilarity, trace equivalence, stable-failure equivalence, and FDI-equivalence, 
and obtain the laws in all these four semantics as well: 

Theorem 10.12.2 (Agda Theorem) 

SWD+ : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process-)- oo {lu} c 0 ) 

( Q : Process- 1 - oo {lu} ci) 

—* Bisimw+ (P □ +)- Q) (fmap-P swapl±l (Q □ -H- P)) 


Proof: 

SWD+ P Q = bisimsToBismw+ (P D-H- Q) 

(fmap+ swapl±) (Q D-H- P)) (CD-H- P Q ) 


Theorem 10.12.3 (Agda Theorem) 
commuteExtChTrace-l- : {lu : LUniv}{c 0 C\ : Choice} 

(P : Process- 1 - oo {lu} c 0 ) 

( P ’: Process-)- oo {lu} c\ ) 

—> (P D-H- P’) =+ (fmap+ swapttl (P’ D-H- P)) 


Proof: 

commuteExtChTrace-l- P P’ = bisimTraceEqs+= (P D-H- P’) 

(fmap+ swaptfcl ( P’ D-H- P)) 
(CD 4 f PP ’) 


Theorem 10.12.4 (Agda Theorem) 
commuteExtChSF-|- : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process-)- oo {lu} c 0 ) 

( P ’: Process-)- oo {lu} c\ ) 

—> (P D-H- P’) =sf+ (fmap+ swapl+l (P’ □+)- P)) 


Proof: 

commuteExtChSF-)- P P’ = bisimslmplies=sf+ (P □+)- P’) 

(fmap+ swapl+l ( P’ D-H- P)) 

(CD Vr PP’) 
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Theorem 10.12.5 (Agda Theorem) 
commuteExtChFDI-l- : {lu : LUniv}{c 0 C\ : Choice} 

(P : Process- 1 - oo {lu} c 0 ) 

(P ’: Process-)- oo {lu} ci ) 

-+ (P □ ++ P’) =fdi+ (fmap+ swapl±l (P ; □++ P)) 


Proof: 

commuteExtChFDI-l- P P’ = bisimsImFdiEquiv (P D-H- P’) 

(fmap+ swapW (P’ D-H- P)) 
(Cn+t- P P ; ) 


10.12.2 Proof of Commutativity of the Interleaving Op¬ 
erator 

The proof in this section uses the same steps as the one in the previous 
section. We start by showing that the process (P ||| Q) is strongly bisimilar 
to (Q ||j P). The proof in Agda as follows: 

Theorem 10.12.6 (Agda Theorem) 

C j11T : {lu : LUniv} {c 0 C\ : Choice} 

(P : Process-)- oo {lu} c 0 ) 

( Q : Process-)- oo {lu} c\) 

—> Bisims+ (P |||-H- Q ) (fmap+ swapx ( Q |||-H- P)) 


Proof: 
bi 
bi 
bi 
bi 
bi 
bi 
bi 
bi 
bi 
bi 
bi 
bi 
bi 


isim 2 E 

(C|| 

|+ 

p 

Q) 

(inji 

x) = 

= inj 2 x 



isim 2 E 

(CM 

+ 

p 

Q ) 

(inj 2 

y) = 

= inji y 



isimELab 

(CM 

+ 

p 

Q) 

(inji 

X ) = 

-- refl 



isimELab 

(CM 

+ 

p 

Q) 

(inj 2 

y) = 

= refl 



isimENext 

(CM 

+ 

p 

Q) 

(inji 

x) = 

= C| 1 1 ooT 

(PE P 

x) Q 

isimENext 

(CM 

+ 

p 

Q) 

(inj 2 

y) = 

= C| ||+oo 

P (PE 

Q y) 

isim 2 l 

(CM 

+ 

p 

Q ) 

(inji 

x) = 

= inj 2 x 



isim 2 l 

(CM 

+ 

p 

Q) 

(inj 2 

y) = 

= inji y 



isimlNext 

(CM 

+ 

p 

Q) 

(inji 

x) = 

- C 1 1 oo+ 

(PI P x) Q 

isimlNext 

(CM 

+ 

p 

Q) 

(inj 2 

y) = 

= C 11 |+oo 

P(PI 

Q y) 

isim 2 T 

(CM 

+ 

p 

Q) 

(x „ 

X\) 

= (x x „ x) 



isim 2 TEq 

(CM 

+ 

p 

Q ) 

(x „ 

Xi) 

= refl 



isim 2 Er 

(CM 

+ 

p 

Q) 

(inji 

x) = 

= inj 2 x 
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bisim 2 Er (C|||+ P Q) (inj 2 y) = inji y 

bisimELabr (Cjjj-E P Q) (injx x) = refl 

bisimELabr (C|||+ P Q ) (inj 2 y ) = refl 

bisimENextr (C|||+ P Q) (inh x) = C111H-oo P (PE Q x) 

bisimENextr (C|||+ P Q ) (inj 2 y) = C|||oo+ (PE P y) Q 

bisim 2 lr (C|||+ P Q) (inji x) = inj 2 x 

bisi m 21 r (C|jj-E P Q) (inj 2 y) = inji y 

bisimlNextr (C|||+ P Q) (inji x) = C|||+oo P (PI Q x) 

bisimlNextr (C|jj+ P Q) (inj 2 y) = C|j|cx)+ (PI P y) Q 

bisim 2 Tr (C|||+ P Q ) (x„ x\) = x\ „ x 

bisim 2 TEqr (C|jj+ P Q) {x „ x\) = refl 


We obtain again proofs of these laws using DRW-weak bisimilarity, trace 
equivalence, stable-failure equivalence, and FDI-equivalence: 

Theorem 10.12.7 (Agda Theorem) 

SW|11 : {lu : LUniv}{c 0 ci : Choice} 

(P : Process oo {lu} cq) 

(Q : Process oo {lu} ci) 

— y Bisimw (P |j| Q) (fmap swapx (Q |jj P)) 


Proof: 

SW|11 P Q = bisimsToBismw (P j|j Q) 

(fmap swapx (Q |j| P)) (C||| P Q ) 


Theorem 10.12.8 (Agda Theorem) 
commute|||Trace+ : {lu : LUniv}{c 0 C\ : Choice} 

(P : Process- 1 - oo {lu} c 0 ) 

(P ’: Process- 1 - oo {lu} c\ ) 

—>■ (P |||+E P’) =+ (fmap-E swapx (P’ |||-EE P)) 


Proof: 

commute)||Trace+ P P’= bisimTraceEqs+= (P|||+E P ’) 

(fmap-E swapx (P ; |||-EE P)) 
(CIH+FP') 


o- 
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Theorem 10.12.9 (Agda Theorem) 
commute|||SF+ : {lu : LUniv}{c 0 C\ : Choice} 

(P : Process+ oo {lu} c 0 ) 

(P’ : Process+ oo {lu} c\ ) 

->• (P 1 1|-H- P’) =sf+ (fmap+ swapx ( P’ |||+F P)) 

Proof: 

commutej||SF+ P P’ = bisimslmplies=sf+ (P |||+F P’) 

(fmap+ swapx (P’ |j|+f P)) 

(C|||+ PP’) 


Theorem 10.12.10 (Agda Theorem) 
commutej||FDI+ : {lu : LUniv}{co c\ : Choice} 

(P : Process+ oo {lu} Co) 

(P’ : Process+ oo {lu} c\ ) 

—>• (P Hl+P P’) =fdi+ (fmap+ swapx ( P’ |||-H- P)) 

Proof: 

commute|||FDI+ P P’ = bisimsImFdiEquiv (P |||+F P’) 

(fmap+ swapx ( P’ jj|+F P)) 

(C|||+ P P’) 


10.13 Proof of the Monadic Laws 

10.13.1 Proof of First Monadic Law 

We defined processes in a monadic way, and will in this section prove two 
monad laws for processes. 

In functional programming, a monad is given by a functor M together 
with morphisms 

>= \ M A ^ (A ^ M B) ^ M B 


and 


return : A —> M A 


o 


such that the following laws hold: 


-o 
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return a ^>— f = f a 

p 3>= return = p 

(P >= /) >= 9 = V >= (A x.f x »= g) 

The proof of the first monadic law is trivial since 
(terminate a i^>= P) 

is definitionally equal to P. As before, first we prove that (terminate a P) 
bisimilar to P. We can directly prove both strong and weak bisimilarity using 
reflexivity of this relation: 

Theorem 10.13.1 (Agda Theorem) 
monadicLawqs : {lu : LUniv}{c 0 C\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet cq —> Process oo {lu} ci) 

—)■ Bisims (terminate a 3>= P) (P a) 

Proof: 

monadicLawqs a P = BismsRef (P a) 


Theorem 10.13.2 (Agda Theorem) 
monadicLaw! : {lu : LUniv}{c 0 C\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet Co —> Process oo {lu} c\) 
—> Bisimw (terminate a 3>= P) (P a) 


Proof: monadicLawi a P = BismwRef (P a) 


We obtain now that the first monadic law holds with respect to trace 
equivalence, stable failures, and FDI equivalence as follows: 

Theorem 10.13.3 (Agda Theorem) 
monadicLawiTrace : {lu : LUniv}{co c\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 — > Process oo {lu} Ci) 

—>■ (terminate a 3>= P) =tr (P a) 

Proof: monadicLawiTrace aP = bisimTraceEq= 

(terminate a ^$>= P ) (P a ) (monadicLawx a P ) 
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Theorem 10.13.4 (Agda Theorem) 
monadicl_aw 1 SF+ : {lu : LUniv}{c 0 C\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 — >■ Process oo {lu} ci) 

—> (terminate a S>= P) =sf (P a) 


Proof: 

monadicl_awiSF+ aP = bisimwlmplies=sf 

(terminate a 3>= P ) (P a ) (monadicLaw! a P) 


Theorem 10.13.5 (Agda Theorem) 
monadicl_aw 1 FDI+ : {lu : LUniv}{c 0 c\ : Choice} 
(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —*■ Process oo {lu} c\) 

—> (terminate a S>= P) =fdi (P a) 


Proof: 

monadicl_awiFDI+ a P = bisimFDIImpEq 

(terminate a 3>= P) (P a) (monadicLawi a P) 


10.13.2 Proof of Third Monadic Law 

Next, we carry out the proof of the third monadic law: 

(P>=+ (£»=+ R)) 
is equal to 

((P>=+ Q)>=+ R) 
with respect to our semantic models. 

As before, we first prove that the two processes are strongly bisimilar. 
The proof in CSP-Agda is as follows: 

Theorem 10.13.6 (Agda Theorem) 
monadicLawi_ 3 oo : {lu : LUniv}{c 0 c\ c 2 : Choice} 


o 
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(P : Processoo oo { lu } c 0 ) 

(Q : ChoiceSet c 0 —>■ Process oo {lu} ci) 

(P : ChoiceSet c\ —y Process oo {Pt} c 2 ) 

—>■ Bisimsoo ((P i»=oo Q) ^>=00 R ) 

(P 3>=oo ( X a: —* Q x P )) 


Proof: 

forceB (monadicLaw 1 _ 3 oo P Q R) = monadicLaw 1 _ 3 (forcep P) Q R 


monadicLawi_ 3 : {lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process 00 {Pt} c 0 ) 

(Q : ChoiceSet c 0 — > Process 00 {lu} ci) 

(P : ChoiceSet c 3 —*■ Process 00 {lu} c 2 ) 

—> Bisims ((Pi§>= Q) 3 >= P) 

(P 3 >= (X x — b Q x 3 >= P)) 
monadicLawi_ 3 (terminate x) Q R = 

BismsRef (((terminate x 3>= Q) >= R)) 
monadicLaw!_ 3 (node x) Q R = eqnode (monadicl_awi_ 3+ x Q R) 


monadicLaw 


bisim2E 

bisimELab 

bisimENext 

bisim2l 
bisi m2l 
bisi m2l 
bisimlNext 

bisimlNext 

bisimlNext 

bisim2T 

bisim2TEq 

bisim2Er 


i_ 3+ : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process+ 00 {lu} cq) 

(Q : ChoiceSet c 0 — > Process 00 {lu} c \) 
(P : ChoiceSet c\ —y Process 00 {/it} c 2 ) 
—> Bisims+ ((P 3> = + Q) 3>=+ P) 

(P 3>=+ (X x — y Q x 3>= P)) 
(monadicl_awi_ 3+ P Q R) e = e 
(monadicLaw!_ 3+ P Q R) e = refl 
(monadicLaw!_ 3+ P Q R) e = 
monadicLaw!_ 3 oo (PE P e) Q R 
(monadicl_awi_ 3+ P Q R) (inji (inji x)) = inji x 
(monadicLawi_ 3+ P Q R) (inji (inj 2 y)) = inj 2 y 
(monadicLawi_ 3+ PQR) (inj 2 ()) 
(monadicLawi_ 3+ PQR ) (inji (inji %)) = 
monadicLawi_ 3 oo (PI P x) Q R 
(monadicLawi_ 3+ PQR) (inji (inj 2 y)) = 
monadPT+ P Q R y 
(monadicLawi_ 3+ PQR ) (in j2 ()) 
(monadicLawi_ 3+ PQR) 0 
(monadicl_awi_ 3+ PQR) 0 
(monadicLawi_ 3 + P Q R) e = e 


o- 
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bisimELabr (monadicLawi_ 3+ P Q R) e = refl 
bisimENextr (monadicLaw 1 _ 3+ P Q R) e = monadicLawoo P Q R e 
bisim2lr (monadicl_awx_ 3+ P Q R) ( inj ± x) = injx (injx x) 

bisim2lr (monadicLaw 1 _ 3+ P Q R) (inj 2 y) = injx (inj 2 y) 

bisimlNextr (monadicLawx_ 3+ P Q R) (injx x) = monadicl_awi_ 3 oo (PI P x) Q R 

bisimlNextr (monadicLawx_ 3+ P Q R) (inj 2 y) = 

monadPT+ P Q R y 

bisim2Tr (monadicLawx_ 3+ P Q R) e = e 
bisim2TEqr (monadicl_awx_ 3+ P Q R) () 

By using the proof that strong bisimilar implies DRW- bisimilar we prove 
that the processes are DRW-bisimilar: 

Theorem 10.13.7 (Agda Theorem) 

monad 3 SW+ : {lu : LUniv}{co ex c 2 : Choice} 

(P : Process-1- oo {lu} c 0 ) 

(Q : ChoiceSet Co —> Process oo {lu} ex) 

(R : ChoiceSet cx —> Process oo {lu} c 2 ) 

—> Bisimw+ ((P 3>=+ Q) 3>=+ R) 

(P 3>=+ ( X x —> Q x S>= R )) 

Proof: 

monad 3 SW+ P Q R = bisimsToBismw+ 

((P >=+ Q) >=+ R) 

(P 2>=+ (W-> Q x 3>= R)) 

(monadicLawx_ 3+ P Q R) 

Now we obtain proofs that the two processes are equivalent with respect 
to traces, stable failures and FDI semantics: 

Theorem 10.13.8 (Agda Theorem) 
monadicLaw 3 Trace+ : {lu : LUniv}{c 0 cx c 2 : Choice} 

(P : Process-1- oo {lu} c 0 ) 

(Q : ChoiceSet c 0 -> Process oo {lu} cx) 

(R : ChoiceSet cx —> Process oo { hi} c 2 ) 

—> ((P 3>=+ Q) 3>=+ R) =tr+ 

(P S>=+ (W-> Q x W= R )) 


Proof: 

monadicLaw 3 Trace+ P Q R = bisimTraceEqs+= 
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((P»=+ Q) >=+ R) 

(P S>=+ ( X x -> Q x S>= P )) 
(monadicLaw 1 _ 3+ P Q R) 

Theorem 10.13.9 (Agda Theorem) 
monadicl_aw 3 SF+ : {/u : LUniv}{co c\ c 2 : Choice} 

(P : Process+ 00 {lu} c 0 ) 

( Q : ChoiceSet c 0 — > Process 00 {lu} ci) 

(R : ChoiceSet c\ —> Process 00 {lu } c 2 ) 

—> ((P 3>=+ Q) 3>=+ P) =sf+ 

(P 3>=+ ( X a; —» Q x 3>= P )) 


Proof: 

monadicLaw 3 SF+ P Q R — bisimslmplies=sf+ 

((P >=+ Q) >=+ P) 

(P »=+ ( X x —> Q x 3>= P )) 
(monadicl_awi_ 3+ P Q R) 

Theorem 10.13.10 (Agda Theorem) 
monadicLaw 3 FDI+ : {lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process+ 00 {lu} c 0 ) 

( Q : ChoiceSet c 0 — > Process 00 {lu} c\ ) 
(P : ChoiceSet ci —> Process 00 {lu} c 2 ) 
—t ((P 3>=+ Q ) 3>=+ P) =fdi+ 

(P 3>=+ ( X x —> Q x 3>= P )) 


Proof: 

monadicLaw 3 FDI+ P Q R = bisimsImFdiEquiv 

((P »=+ Q) »=+ P) 

(P 3>=+ ( X x —y Q x S>= P )) 
(monadicl_awi_ 3+ P Q R) 


10.13.3 The Second Monadic Law 

The reader might wonder what happens to the second monadic law which 
says that 

P 3>= terminate is equal to P 
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ft turns out that the two processes are, at least with the current definition 
of _^>=_, in general not DRW-bisimilar: Let R := / —> STOP for some 
label /, i.e. R has as only event an /-transition to STOP. Consider a process 
P having a /-event with return type a and a r-transition to R , and let 
Q := P 3>= terminate. Process Q has a r-transition to (terminate a) and a 
r-transition to R. What P can do, Q can do as well: the /-event can be 
simulated by a r-transition to (terminate a), and the r-transition to R by the 
same r-transition for Q. However, Q can have a r-transition to (terminate a), 
and this cannot be simulated by P, since P cannot reach a state which is 
bisimilar to (terminate a). 

Actually in Schneider’s version of stability, the two processes are not 
equal with respect to stable failures semantics, since Q has a stable state 
(terminate a) in which it refuses everything, whereas P reaches with r- 
transitions only process R , which cannot refuse /. According to Roscoe’s 
version of stability, at least according to our interpretation ((terminate a) 
is not a CSP process), (terminate a) is not stable, therefore the processes 
are equal with respect to stable failures semantics and with respect to FDI 
semantics a la Roscoe. One might argue that even with Roscoe (terminate a) 
should be a stable state. Since this has strong implications we leave it for 
future work to explore this. 

One might argue that a r-transition to (terminate a) should be treated 
similar to a /-transition with return value a. However, they behave dif¬ 
ferently. Let P 0 have a r-transition to (terminate a), and an /'-transition to 
STOP. Let P\ having a /-event with return value a and the same /'-transition 
to STOP. Process Po ||| R can have a r transition to (terminatea) ||| R , 
a state in which it can refuse /'. Process Pi ||| R cannot execute the 
/-transition, since it needs to synchronise with a /-transition for R. It is 
stable, and cannot refuse /'. 


Possible solution. One solution one might consider is to change the def¬ 
inition of P 3>= Q , so that /-events of P with return value a become, in 
case (Q a) is a terminated process, termination events. In order to do this, 
we need to replace the type of Q a from Processoo to Process. We give here 
a def ini tion of the revised monadic bind: We first define a function deciding 
whether a process has terminated: 

isTerminate : {i : Size}{/ii : LUniv} {c : Choice}(P : Process i { lu } c) 

—>- Bool 

isTerminate (terminate x) = true 
isTerminate (node x) = false 
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isNode : {i : Size}{ht : LUniv} {c : Choice}(F : Process i {lu } c) 
—> Bool 

isNode = nb o isTerminate 

We can extract for terminated process the return value: 

processIsTerminateToResult : {i : Size}{/u : LUniv} {c : Choice} 

(P : Process i {lu} c ) 

( isTer : True (isTerminate P)) 

—>■ ChoiceSet c 

processIsTerminateToResult (terminate x) isTer = x 
processIsTerminateToResult (node x) () 

Now the definition of the revised monadic bind is as follows: 

^>=Str : {c 0 : Choice} —> String 

—>■ (ChoiceSet c 0 —> String) —> String 
s 3>=Str / = s -H-s "i§>" -H-s choice2Str2Str / 

mutual 

;g>=oo : {i : Size} — >■ {lu : LUniv} — > {c 0 c\ : Choice} 

—>• Processoo i {lu} c 0 
—> (ChoiceSet c 0 —> Process i {lu} ci) 

—>• Processoo i {lu} c\ 

forcep (P 3>=oc Q ) = forcep P 3>= Q 

Stroo (P 3>=oo Q) = Stroo P 3>=Str (Str o Q ) 

_S>=_ : {i : Size} —* {lu : LUniv} —> (c 0 ci : Choice} 

—> Process i c 0 

—>■ (ChoiceSet Co —> Process i {lu} c\) 

-> Process i c\ 

node P '^>= Q = node (P ^>=+ Q) 

terminate x J^>= Q = Q x 

_3>=+_ : {i : Size} —> {lu : LUniv} —> {c 0 c\ : Choice} 

—>■ Process+ i cq 

—> (ChoiceSet Co —> Process i {lu} c\) 

—>• Process+ i c\ 

E (F>=+ Q) = E P 

Lab (P 3 >=+ Q ) = Lab P 
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PE (P >=+ Q) c = PE Pc »=oo Q 

| (p >=+ Q) = I P l±l' subset’ (T P) 

(isNode o (Q o (PT P))) 

PI (P >=+ Q) (inji c) = PI Pc »=oo Q 
forcep (PI (P 3>=+ <5) (inj 2 (sub a x))) = <5 (PT P a) 

Stroo (PI (P 3>=+ Q ) (inj 2 (sub a a:))) = Str (Q (PT P a)) 

T (P >=+ Q) = subset’ (T P) 

(isTerminate o (Qo (PT P))) 

PT (P 3>=+ Q ) (sub a x) = processIsTerminateToResult (Q (PT P a)) x 
Str+ (P >=+ Q) = Str+ P >=Str (Str o Q) 

The problem with this definition is however, that it doesn’t respect DRW- 
bisimilarity with respect to the second argument: Q A a —> terminate a 
and Q' := A a —> (r— ^terminate a) are extensionally weakly bisimilar, but 
P 3>= Q and P 3>= Q' behave quite differently. In order to fix it one would 
need to decide whether Q a is termination equivalent, which is undecidable. 

One solution is to accept the fact that the 2nd monad law doesn’t hold. 
Having the first and third monad law is a structure with quite good prop¬ 
erties, since they correspond very well to the fact that monadic bind means 
first executing the first process or program, and then depending on it exe¬ 
cuting the second one. That the second argument one is actually an always 
terminating process or program might not happen very often, so it might not 
be a big problem of not having the second monadic law. 
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^Chapter 

Case Study: 

1 -°Safety for Railway 

Interlocking Systems 

Systems, for which failure or malfunction cannot be tolerated, and for which 
failure may result in one or more hazardous outcomes like loss of life, sig¬ 
nificant property damage or damage to the environment, are called critical 
systems (Knight [2002], Storey [1996], Fowler [2009]). There are three kinds 
of critical systems: 

• Safety critical systems, where the failure of the system could result 
in loss of life or damage to the environment (Storey [1996]). Examples 
are medical devices, e.g. automated infusion pumps; systems in the 
area of aerospace, such as civil aviation, military aviation, and manned 
space travel; and traffic control, such as Railway control system, air 
traffic control, road traffic control, and automotive control systems. 

• Mission critical systems, where a malfunction may fail some goal- 
directed activity, for example, a navigational system of a space probe 
(Storey [1996]). 

• Business critical systems, where failure could lead to very high 
costs for the business using that system. Examples are the customer 
account system in a bank, an online shopping cart, areas where secrecy 
is required such as secret service, and sensitive areas in companies. 

Formal methods can be used in the design and development of such sys¬ 
tems to reduce the risk of failure (Rushby [1989]). CSP-Agda aims to support 
the modelling and verification of critical systems such as railways systems. 

In this chapter we demonstrate our results by modelling a simple scenario 
for railways in CSP and CSP-Agda. We will investigate the use of the process 
algebra CSP together with the model checker FDR and of CSP-Agda to 
verify the system. Checking our model against the given safety properties, 
the signalling principles, will provide, in case of failure, counterexamples that 
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help to debug the given possible scenario design. We then prove deadlock 
and livelock freedom of the corrected system. This work gives a successful 
example of how CSP-Agda can be used to support the industrial development 
process. 


11.1 Specifying an Possible Scenario for Rail¬ 
ways in Natural Language 

In modern railway traffic, various train services usually run on the same track 
of a railway section (Huisman and Boucherie [2001]). Railway signalling 
system are used to direct train traffic and keep trains clear of each other at 
all times. Trains move on a fixed path, so, unless they derail, the only reason 
for collision is that two trains are allowed to access the same train segment 
(Newman [1995]). In the following scenario for railways, two trains leave 
different stations heading toward each other, to cross the same segment with 
a single track. The signalling system should guarantee the safe movement 
for both trains. Therefore, the train asks the signal control system for being 
allowed to cross the segment. If the segment is free (not occupied by another 
train), then the signalling system will set the signal to green, otherwise, it 
will keep it red, see the following Fig. 11.1. 


Signal 1 


Signal2 


Train 1 


Segment 1 


Train2 


Figure 11.1: Text 


11.2 CSP and CSP-Agda Specification 

We consider a railway as consisting of the three separate physical components 
shown in Fig. 11.1. 

• The signals, which can show the aspects green or red according to the 
status of the segment. 


a 


The train segments. 

Finally, the train component. In our scenario, we have two trains. 
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We will in the following model the processes in CSP by using CSP M, 
which is the machine-readable derivation of CSP introduced in Roscoe [1998]. 

We have only one segment, therefore the type of segments is given as 
follows 


datatype SEGMENT = segl 

This is specified in CSP-Agda in the following way: 

data SEGMENT : Set where segl : SEGMENT 

We have one signal on each end of the segment, guarding access to the 
segment, specified in CSP and CSP-Agda in the following way: 

datatype SIGNAL = sigl | sig2 
data SIGNAL : Set where sigl sig2 : SIGNAL 

In our case, the set TRAIN contains two elements only. This setup is 
defined in CSP and CSP-Agda as follows: 

datatype TRAIN = ta [ tb 
data TRAIN : Set where ta tb : TRAIN 

In this definition, we named the trains by ta and tb. The signal aspects 
in our settings can be either red or green, specified in CSP and CSP-Agda 
in the following way: 


datatype ASPECT = red | green 
data ASPECT : Set where red green : ASPECT 

The segment can be in two states, either free, which means there is no 
train in the segment or blocked, which means the segment currently occupied 
by a train. This is defined in CSP and CSP-Agda as follows: 

datatype SEG_STATE = free | blocked 
data SEGSTATE : Set where free blocked : SEGSTATE 

We also statically define some events or channels. The first one is get_segm, 
which allows a train to request for a segment to be in a state, which can be 
either free or blocked. This is specified in CSP in the following way: 
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channel get_segm : TRAIN.SEGMENT.SEG_STATE < 

In Agda we define a data type of labels and constructors for each channel 
The definition in CSP-Agda for the type of labels together with the construc¬ 
tor corresponding to get_segm is as follows: 

data LabelTrains : Set where 

getSegm : TRAIN —y SEGMENT —> SEGSTATE —* LabelTrains 

We have the channel set_segm, which allows a train to request that a 
segment is set to a given state: This is described in CSP as follows: 

channel set_segm : TRAIN.SEGMENT.SEG_STATE 

In CSP-Agda we add a constructor to LabelTrains: 

setSegm : TRAIN —» SEGMENT —» SEGSTATE —» LabelTrains 

Similarly, set_sig allows a trains to request a signal to be set to an aspect, 
which can be red or green. This is defined in CSP as the following channel 
and in CSP-Agda as a constructor of LabelTrains: 

channel set_sig : TRAIN.SIGNAL.ASPECT 
setSig : TRAIN — > SIGNAL — * ASPECT — > LabelTrains 

Finally, we define the event, which sets a signal to a given aspect in CSP 
and CSP-Agda: 


channel set_sigs : SIGNAL.ASPECT 

setSigs : SIGNAL — * ASPECT — * LabelTrains 

Next, we specify the dynamic part of the scenario for railways. Using CSP 
language, we model the behaviour of a possible scenario for railways through 
several processes that interact with each other: the Train, the Signals, and 
the Segment. 

First we introduce the notion of external choice indexed over an index 
set. In CSP M notation 

([] newasp : ASPECT @ set_sig.t.sig.newasp — > SIG_CTL(sig)) 
stands for the external choice of 
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set_sig.t.sig.newasp — > SIG_CTL(sig) 
indexed over newasp : ASPECT. 

In CSP-Agda we define the function | □ |, which defines the external choice 
of processes indexed over a list of elements of type A. So it takes as argu¬ 
ments a list of elements of type A, and a function, mapping elements of A to 
processes, and produces as result the external choice over those processes: It 
is defied as follows: 


□ | : {i : Size} {c : Choice} {lu : LUniv} {A : Set} —> List A 

—> {A —>• Process i {lu} c ) —>• Process i {lu} c 

□ i {z} {c} [] / = STOP c 

□ j {z} {c} (a ::[])/=/ a 

□ i {z} {c} ( a :: (b :: /)) / = fmap cW’c^c ((/ a) □ ((|Dj (6 :: l) /))) 


The movement of a train is constrained by the current aspect of the signal. 
The control system for signals sets a signal to a new aspect repeatedly. In 
CSP we obtain the following definition: 

SIG_CTL(sig) = ([] t : TRAIN @ ([] newasp : ASPECT @ 

set_sig.t.sig.newasp — > SIG_CTL(sig))) 

In CSP-Agda the definition is as follows: 


SIGCTL : {z : Size}(szg : SIGNAL) — > Processoo z {labelTrains} 0’ 
forcep (SIGCTL sig) = | □ | {lu = labelTrains} LabelListTRAIN X tr —> 

j □ j {lu — labelTrains} LabelListASPECT X asp — > 
lab (setSig tr sig asp ) — > SIGCTL sig 
Stroo (SIGCTL sig ) = "SIGCTL" -H-s showSIGNAL sig 


Here — y is the prehx operation in CSP-Agda, where the process argu¬ 
ment is an element of Processoo. 

The process SEG_CTL(seg,segstate) for monitoring the segment can get 
the state of the segment, and set its state. It is defined in CSP as follows: 
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SEG_CTL(seg,segstate) = 

([] t : TRAIN @ 

get_segm.t.seg.segstate — > SEG_CTL(seg,segstate)) 

( 0 ) 

([] t : TRAIN @ ([] newsegstate : SEG_STATE @ 

set_segm.t.seg. newsegstate — > SEG_CTL(seg,newsegstate))) 

In CSP we first define the two subprocesses for getting and setting the 
segment, and then define the external choice of these two processes. Note 
that this is as before a corecursive definition, so we define it by guarded 
recursion, for which the fact that the corecursive call is called after applying 
the observation forcep to the corecursively defined function. We require as 
well the operation fmap, which in this case changes the return type 0 l±l 0 to 
0 - this doesn’t do anything but is needed for type correctness. 


mutual 

SEGCTL1 : {i: Size}(seg : SEGMENT)( segstate : SEGSTATE) 

—7- Processoo i {labelTrains} 0' 

forcep (SEGCTL1 seg segstate ) = |□ |tr LabelListTRAIN X tr —> 

lab (getSegm tr seg segstate ) 

— ►SEGCTL seg segstate 

Stroo (SEGCTL1 seg segstate ) = "SEGCTL1" -H-s showSEGMENT seg 

-H-s showSEGSTATE segstate 

SEGCTL2 : {% : Size}(seg : SEGMENT)( segstate : SEGSTATE) 

—>■ Processoo i {labelTrains} 0’ 

forcep (SEGCTL2 seg segstate ) = | □ |tr LabelListTRAIN X tr —* 

|□ |tr LabelListSEGSTATE X newsegstate —» 
lab (setSegm tr seg newsegstate) 

— ► SEGCTL seg newsegstate 

Stroo (SEGCTL2 seg segstate ) = "SEGCTL2" -H-s showSEGMENT seg 

-H-s showS EGSTATE segstate 

SEGCTL : {i : Size}(seg : SEGMENT) (segstate : SEGSTATE) 

—> Processoo i {labelTrains} 0’ 

forcep (SEGCTL seg segstate) = fmap {labelTrains} 0l±)0—>-0 

( forcep (SEGCTL1 seg segstate) DwNam 
forcep (SEGCTL2 seg segstate ) 

Using DtoStringSimple , □fmapNameSimple 
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□fmapNameSimple) 

Strcx) (SEGCTL seg segstate ) = "SEGCTL" -H-s showSEGMENT seg 

-H-s showSEGSTATE segstate 


Here _DwNam_Using_,_,_ is external choice, but with explicit functions 
for forming the string name of the resulting process depending on the names 
for its process arguments. This is used so that CSP-Agda-Simulator displays 
a good name for this process. The function has 3 arguments: one forming 
the name if we have external choice, which depends on the names for the 
two processes; one for forming the name in case the process has become fmap 
applied to the first process, which depends on the name for that process; 
and one for forming it if it has become fmap applied to the second process, 
depending on the name for the second process. Its type is 

_DwNam_Using_,_,_ : {c 0 ci : Choice} —> {i : Size} —> { lu : LUniv} 

—» Process i {lu} c 0 
—» Process i {lu} c\ 

—> (Oname : String —> String —>■ String) 

—> (UfmapLeftName : String —> String) 

—>■ (UfmapRightName : String —y String) 

—» Process i {lu} (c 0 W’ c \) 

The processes train enter TRAIN_ENTER(tr,segm,sig) and train leave TR 
AIN_LEAVE(tr,segm,sig) model the functionality of moving the train from 
and to the segment in question. TRAIN_ENTER checks whether the segment 
is free, then sets the signal to green and then the segment to being blocked, 
and then switches to the TRAIN_LEAVE process. The TRAIN_LEAVE pro¬ 
cesses sets the segment to free, sets the signal to red and switches back to 
the TRAIN_ENTER. The reader might discover that this is unsafe - this is 
deliberate and will be discussed later. The definition is as follows: 

TRAIN_ENTER(tr,segm,sig) = get_segm.tr.segm.free 

— > set_sig.tr.sig.green 

— > set_segm.tr.segm.blocked 

— > TRAIN_LEAVE(tr,segm,sig) 
TRAIN_LEAVE(tr,segm,sig) = set_segm.tr.segm.free 

— > set_sig.tr.sig.red 

— > TRAIN_ENTER(tr,segm,sig) 
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The definition in CSP-Agda is as follows: 
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TRAINENTER : {i : Siz e}(tr : TRAIN)(seg : SEGMENT)(si# : SIGNAL) 

—> Processcx) i {labelTrains} 0' 
forcep (TRAINENTER tr seg sig ) = lab (getSegm tr seg free) 

— s-pp ((lab (setSig tr sig green) 

— s-pp (lab (setSegm tr seg blocked) 

—» TRAIN LEAVE tr seg sig))) 

Stroo (TRAINENTER tr seg sig) = "TRAINENTER" -H-s showTRAIN tr -\+ s 

showSEGMENT seg -H-s showSIGNAL sig 


TRAINLEAVE : {i : Size}(fr : TRAIN)(seg : SEGMENT )(sig : SIGNAL) 

—>■ Processoo i {labelTrains} 0' 
forcep (TRAINLEAVE tr seg sig) = lab (setSegm tr seg free) 

— s-pp (lab (setSig tr sig red) 

— » TRAINENTER tr seg sig) 

Stroo (TRAINLEAVE tr seg sig) = "TRAINLEAVE" TTs showTRAIN tr M- s 

showSEGMENT seg -H-s showSIGNAL sig 


Here —s-pp is the prefix operator but with argument in Process. 

Finally, we have three controllers, which control the signals in each part 
of the segment and the status of a segment. Each one works independently 
from the other, and we use the interleaving operator to represent it in CSP. 
This combination is defined as follows: 

(SIG_CTL(sigl) HI SIG_CTL(sig2) ||| SEG_CTL(segl,free)) 

In CSP-Agda it is defined as follows: 


SYSTEMpl : {i : Size} — >■ Processoo i {labelTrains} (0' x’ 0’ x’ 0’) 
SYSTEMpl = (SIGCTL sigl |||wNamoo SIGCTL sig2 

Using 11jtoStringSimple , fmapNameSimple , fmapNameSimple) 
|||wNamcx) SEGCTL segl free 

Using 11|toStringSimple , fmapNameSimple , fmapNameSimple 

Here we were using _||jwNamoo_Using_,_,_, which is interleaving _|||_, 
but has similar to _DwNam_Using_,_,_ extra arguments for forming a good 
name for the resulting process from the names for its arguments. 

In case of train movement, we have two controllers, which control the 
movement of the train from each side of the segment. These controllers work 
as well independently, so we use the interleaving operator to define it in CSP: 
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(TRAIN_ENTER(ta,segl,sigl) ||| TRAIN_ENTER(tb,segl,sig2)) 

The definition in CSP-Agda as follows: 


SYSTEMp2 : {i : Size} — > Processoo i {labelTrains} (0' x' 0') 
SYSTEMp2 = TRAINENTER ta segl sigl |||wNamoo 
TRAINENTER tb segl sig2 Using 
111toStringSimpie , fmapNameSimple , fmapNameSimple 


Based on the combined controllers process we form a larger process, called 
System, in which trains, segment and signals interact by synchronising all 
events. The complete system is defined in CSP as follows: 


SYSTEM = (SIG CTL(sigl)111 SIG CTL(sig2)111 SEG_CTL(segl,free)) 

[| { | get_segm,set_segm,set_sig | } |] 
(TRAIN_ENTER(ta,segl,sigl) ||| TRAIN_ENTER(tb,segl,sig2)) 

It is defined in CSP-Agda as follows: 


SYSTEM : {i : Size} —>• Processoo i {labelTrains} (0’ x ’ 0’ x ’ 0' x' (0’ x ’ 0’)) 
SYSTEM = SYSTEMpl [ (X x -> true) ]||wNamoo[ (X x -> true) ] SYSTEMp2 
Using [||]toStringSimpie , fmapNameSimple , fmapNameSimple 


11.3 Verification of a Possible Scenario for 
Railways Using FDR 

The basic safety property we want to prove for our layout is there are no 
two green signal at the same time. We formalise this principle regarding 
signals. This provides a higher-level description than a formalisation using 
trains and segments, since it directly expresses the property that never both 
signals are green at the same time. This is important since we can only 
verify that a process fulfils its specification, but not that the specification is 
sufficient to guarantee the requirement of safety - the latter is an instance 
of validation. Therefore, it is crucial that it is as clear as possible that the 
formal specification really codifies the desired requirement. 


a 






242 11.3. Verification of a Possible Scenario for Railways Using FDR 

o-o 


Once we formalised the properties appropriately, then we can apply to 
our model. We model these general principles as CSP processes. The FDR 
tool then allows us to check the refinement between the properties and the 
primary model. 

The general idea of modelling properties is that we model a good be¬ 
haviour that does satisfy the principle and show a given process refines it, or 
a wrong behaviour, which we want to exclude it from the model, and show 
that a given process does not refine it. 

In the following, we describe more concretely how this works for our 
properties. In our setting, as we discuss it, in the beginning, we want to 
check our system is free from the harmful behaviour like, that there are two 
green signals at the same time. We formalise this property in CSP as follows: 

BAD_SIGNALS = set_sigs.sigl.green — > set_sigs.sig2.green — > STOP 

. ( 0 ) 

set_sigs.sig2.green — > set_sigs.sigl.green — > STOP 

Now we abstract our system by hiding the set_segm, get_segm channels 
using the hiding operator and then renaming the channel set_sig to set_sigs. 
Therefore only the change of the signals is visible. We defined it in CSP as 
follows: 


SYSTEM_SIGONLY = 

(SYSTEM {| set_segm, get_segm |}) 


[ set_sig.ta.sigl.red 
set_sig.ta.sigl. green 
set_sig.ta.sig2.red 
set_sig.ta.sig2.green 
set_sig.tb.sigl.red 
set_sig.tb.sigl.green 
set_sig.tb.sig2.red 
set_sig.tb.sig2. green 

In CSP-Agda we first carry out 


< — set_sigs.sigl.red , 

< — set_sigs.sigl.green, 

< — set_sigs.sig2.red, 

< — set_sigs.sig2.green, 

< — set_sigs.sigl.red , 

< — set_sigs.sigl.green, 

< — set_sigs.sig2.red, 

< — set_sigs.sig2.green ]] 

the hiding: 


hidelnSystem : Label labelTrains —> Bool 

hidelnSystem (lab (setSig_ )) = false 

hidelnSystem (lab (setSigs_ )) = false 

hidelnSystem l = true 

SYSTEMSHIDE : {i : Size} — > Processoo i {labelTrains} 


o 
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(0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) 

SYSTEMSHIDE = HideWithNamecx) nameHidelnSystem hidelnSystem SYSTEM 

and then the renaming: 

renamelnSystem : Label labelTrains —> Label labelTrains 
renamelnSystem (lab (setSig x X\ x 2 )) = lab (setSigs x\ x 2 ) 

renamelnSystem l = l 

SYSTEM-SIGONLY : {i : Size} — * Processoo i {labelTrains} 

(0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) 

SYSTEM-SIGONLY = RenameWithNameoo nameRenamlnSystem 

renamelnSystem SYSTEMSHIDE 

Now we can check whether our system has that bad behaviour by us¬ 
ing the FDR tools. To this end, we use the following CSP formula ex¬ 
pressing that SYSTEM_SIGONLY refines with respect to trace semantics 
BAD .SIGNALS: 

assert SYSTEM.SIGONLY [T= BAD.SIGNALS 

When we used the FDR tools, see Fig. 11.2, we find, as expected, that the 
bad trace occurs in the system, which means that it is possible to have two 
signals green at the same time and that a collision could happen. The reason 
is a race condition: train 1 can check whether the segment is free, and then 
set the signal to green. Before it then sets the segment to blocked, train 2 
can check whether the segment is free, which is still the case, since it hasn’t 
been set to be blocked. It can then set the other signal to green. Then both 
trains set the segment to be blocked. 

Race conditions arise in programs, which have multiple threads. For more 
information about race condition can be found in Netzer and Miller [1992], 
Emrath et al. [1989], and Nudler and Rudolph [1986]. 


11.4 Verification/Simulation of the Case Study 

In this section, we use different simulator tools for CSP to simulate our 
possible scenario for railways. Among these tools, we use the ProBE tools 
and CSP-Agda-Simulator. 
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Figure 11.2: Bad behaviour Using FDR Tools 


11.4.1 Simulate using ProBE 

In CSP, the ProBE tool is used to simulate specifications. The user interface 
presents a state and all events that are possible from that state. The user 
may then continue through the model along every possible valid trace by 
selecting the events of that trace. The user is prevented from selecting any 
events which are not part of the trace. For instance, if a system has only one 
external choice, with say label a, then the user will not be allowed to engage 
in an event with label b. The ProBE is helpful in checking for the existence 
of traces, which the user does not wish to be valid in the specification. In 
our case, we simulate the bad behaviour using the ProBE tool as shown in 
Fig.11.3 


11.4.2 Simulation using CSP-Agda-Simulator 

Similar to the ProBE tools, our simulator in CSP-Agda has the same possi¬ 
bilities, see Chapter 6 for more information. An example run of the simulator 
is shown in Fig. 11.4 
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Figure 11.3: Simulate bad behaviour Using ProBE Tools 

11.4.3 Verification in CSP-Agda 

In CSP-Agda we can show the refinement statement. In order to simplify the 
proof we first optimise the system slightly, by replacing the choice sets so that 
the decode to a finite set of n elements Fin n. This reduces substantially the 
number of cases. The following theorem is shown by making case distinctions 
on possible traces for BADSIGNALS, and showing, that each trace is a trace 
of OPTIMIZED-SYSTEM. Here The CSP-Agda simulator is helpful, because 
with it we can determine the exact trace needed and which choices are to 
be made. The proof is as follows (we omit the boring case distinction in the 
proof, the full proof can be found in the appendix): 

badSignal : OPTIMIZED-SYSTEM Coo BADSIGNALS 
badSignal = -- Proof Omitted in thesis, 

-- available in the CSP-Agda repository 


11.5 Correcting the System 

In order to fix the problem we change the process SEG CTL: When asked for 
whether the segment is in a state, it switches to a new process SEG_CTL1, 
in which state it will accept only requests for the segment in question to be 
set to a new state, after which it returns to the original process. This means 
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> ./agda/trainExample 

Termination-Events: 

Events: :t lnt(r.r.(r.l.r.0,r.0)):t 

Choose Event 

int(r.r.(r.1.1.0,1.0)) 

-t-> 

Termination-Events: 

Events: ext(r.(l.l.l.r.0,l.0)):siglgreen int(r.r.(r.l.r.0,r.0)):t 

Choose Event 

ext(r.(l.l.i.r.0,1.0)) 

-siglgreen-> 

Termination-Events: 

Events: int(r.r.(r.l.r.0,r.0)):t int(r.r.(r.r.l.r.0,l.0)):t 

Choose Event 

int(r.r.(r.l.r.0,r.O)) 

-t-> 

Termination-Events: 

Events: ext(r.(l.r.r.r.0,r.0)):sig2green int(r.r.(r.r.l.r.0,l.0)):t 

Choose Event 

ext(r.(l.r.r.r.0,r.O)) 

-sig2green-> 

Termination-Events: 

Events: int(r.r.(r.r.l.r.0,l.0)):t int(r.r.(r.r.r.r.0,r.0)):t 
Choose Event 

Figure 11.4: Simulate Bad behaviour Using CSP-Agda Simulator 


that this process essentially takes a lock on controlling the segment, which 
can only be released by setting the state of the segment in question to a new 
state. 

The definition in CSP is as follows: 

SEG_CTL(seg,segstate) = 

([] t : TRAIN @ 

get_segm.t.seg.segstate — > SEG_CTLl(seg,segstate)) 

([]) 

([] t : TRAIN @ ([] newsegstate : SEG_STATE @ 

set_segm.t.seg.newsegstate — > SEG_CTL(seg,newsegstate))) 

SEG_CTLl(seg,segstate) = 

([] t : TRAIN @ ([] newsegstate : SEG_STATE @ 

set_segm.t.seg.newsegstate — > SEG_CTL(seg,newsegstate)) 

The definition in CSP-Agda is as follows: 


mutual 

SEGCTLa : {i : Size}(se<? : SEGMENT)(segsiaie : SEGSTATE) 
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—>■ Processoo i {labelTrains} 0' 

forcep (SEGCTLa seg segstate ) = | □ |tr LabelListTRAIN X tr —> 

lab (getSegm tr seg segstate ) 

—> SEGCTL1 seg segstate 

Stroo (SEGCTLa seg segstate ) = "SEGCTLa" -H-s showSEGMENT seg 

-H-s showSEGSTATE segstate 

SEGCTLb : {i : Size}(se# : SEGMENT)( segstate : SEGSTATE) 

—> Processoo i {labelTrains} 0’ 

forcep (SEGCTLb seg segstate ) = | □ |tr LabelListTRAIN X tr —* 

|□ |tr LabelListSEGSTATE X newsegstate — >■ 
lab (setSegm tr seg newsegstate ) 

—►SEGCTL seg newsegstate 

Stroo (SEGCTLb seg segstate ) = "SEGCTLb" -H-s showSEGMENT seg 

-H-s showSEGSTATE segstate 

SEGCTL1 : : Size}(se <7 : SEGMENT) (segstate : SEGSTATE) 

—> Processoo i {labelTrains} 0’ 

forcep (SEGCTL1 seg segstate ) = | □ |tr LabelListTRAIN X tr —> 

|□ |tr LabelListSEGSTATE X newsegstate — >■ 
lab (setSegm tr seg newsegstate) 

—►SEGCTL newsegstate 

Stroo (SEGCTL1 seg segstate) = "SEGCTL1" TTs showSEGMENT seg 

TTs showSEGSTATE segstate 

SEGCTL : {* : Size}(seg r : SEGMENT) (segstate : SEGSTATE) 

Processoo i {labelTrains} 0' 

forcep (SEGCTL seg segstate ) = fmap 0I±I0—^0 

( forcep (SEGCTLa seg segstate) DwNam 
forcep (SEGCTLb seg segstate) 

Using DtoStringSimple , □fmapNameSimple , 

□fmapNameSimple) 

Stroo (SEGCTL seg segstate) = "SEGCTL" TTs showSEGMENT seg 

TTs showSEGSTATE segstate 


A second correction needed is that in the TRAINTLEAVE process we 
need to set first the signal to red and then the segment to free. Otherwise, 
when the segment is set to free, the other train could see that its free and 
set it to blocked and its signal to green, resulting in two green signals. The 
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corrected version is as follows 

TRAIN_ENTER(tr,segm,sig) = get_segm.tr.segm.free 

— > set_sig.tr.sig.green 

— > set_segm.tr.segm.blocked 

— > TRAIN_LEAVE(tr,segm,sig) 
TRAIN_LEAVE(tr,segm,sig) = set_sig.tr.sig.red 

— > set_segm.tr.segm.free 

— > TRAIN_ENTER(tr,segm,sig) 

Now the ProBE tool rejects the refinement statement, and the violating 
trace cannot be found any more in the simulator of CSP-Agda. 

We can simulate the process using the CSP-Agda simulator. However, 
that we don’t get a bad trace requires manually to simulate all possibilities, 
until and future traces would be too long for the bad trace, and checks that 
the bad trace is not a possibility. 

What is more convincing is to prove in CSP-Agda, that CSP-Agda does 
not refine the bad system. What one can do is determine a trace for BADSIG- 
NALS, and then show that this trace is not a trace of OPTIMIZED-SYSTEM. 
It results in a rather big case distinction, in which we expand all possible 
proofs that it is a trace of OPTIMIZED-SYSTEM, and show that none is ac¬ 
tually a proof. This can be done purely mechanically: The code (we exclude 
the very long and boring case distinction) is as follows: 


badTraceLabels : List (Label labelTrains) 

badTraceLabels = lab (setSigs sigl green) :: lab (setSigs sig2 green) :: [] 

badTraceBadSignal : Troo {labelTrains} badTraceLabels nothing BADSIGNALS 
badTraceBadSignal = tnode (extc (lab (setSigs sig2 green) :: []) nothing (inj x zero 

(tnode (extc [] nothing zero 
(tnode empty)))) 

noTraceBadSignal : (m : Maybe (ChoiceSet (0' x’ 0’ x' 0' x' (0' x’ 0')))) 

(l : List (Label labelTrains)) 

(tr : Troo {labelTrains} l m OPTIMIZED-SYSTEM) 

(mm’ : m = nothing) 

( U ’: l = badTraceLabels) 

->■ ± 

noTraceBadSignal = -- Proof Omitted in thesis. 
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-- available in the CSP-Agda repository 

badSignalProof : (OPTIMIZED-SYSTEM Coo BADSIGNALS) 
badSignalProof x = noTraceBadSignal nothing badTraceLabels 
(x badTraceLabels nothing badTraceBadSignal) 
refl refl 

It turns out that even such a small example is quite time consuming, and 
requires a lot of computer resources for type checking it. In the future we 
want to improve the optimisation, so that at least such kind of proofs can be 
done easily. 

In fact, such kind of finite examples should be delegated to a model 
checker. Karim Kanso has developed a plugin which allows to integrate au¬ 
tomated theorem proving tools into Agda (Kanso [2012], Kanso and Setzer 
[2014]). Unfortunately, at the time of writing the thesis it is no longer sup¬ 
ported, although some researchers have become interested in supporting it. 
It would still require substantial work to combine it with CSP-Agda, but 
it would be very beneficial: we could do finite boring proofs using a model 
checker, and concentrate on proving interactively more universal statements, 
such as relationships between CSP-Agda proofs and specifications, which one 
cannot prove using a model checker, which requires a fixed finite system. 
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Chapter 12 


6 

^Summary 


This research aims to give the type theoretic interactive theorem prover Agda 
the ability to model and verify concurrent programs by representing the 
process algebra CSP in monadic form, together with its semantics. In our 
approach, we represent processes coinductively. The termination checker of 
Agda guarantees productivity of processes. This allows defining processes re¬ 
cursively without having to reduce them to the recursion combinator. Since 
processes are given coinductively, we introduce processes by extended prim¬ 
itive corecursion, also called guarded recursion. The principle of primitive 
corecursion guarantees that processes are productive. This means that for a 
process we can determine whether it terminates or not. In case it terminates, 
we can compute the result returned, and, in case it doesn’t terminate, we can 
can determine, which next transitions it can make, and the next processes 
after bring these transitions. 

Processes in our approach are similar to interactive programs. They are 
debned using an atomic operation, corresponding to the next transitions 
they can make. The operators of CSP are in our approach debned opera¬ 
tions, which combine processes debned from atomic operations. The set of 
processes forms a monad (Process A), which depends on a set A. Using this 
we can dehne a dependent composition (monadic bind) and a dependent loop 
construct rec for processes. 

We have written a simulator, called CSP-Agda-Simulator in Agda. The 
simulator displays the process as a string. Then it computes and displays the 
set of events and their results, and of external and internal choices together 
with their labels. The simulator is written in the same language Agda as the 
language in which proofs are carried out, using the unique feature of Agda 
of being both a dependently typed programming language and an interactive 
theorem prover. 

We implemented trace semantics of CSP in Agda, together with the cor¬ 
responding rebnement and equality relations, formally in CSP-Agda. To 
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demonstrate the proof capabilities of CSP-Agda, we proved in CSP-Agda 
selected algebraic laws of CSP based on trace semantics. In our approach, 
while processes are define processes coinductively, trace semantics is defined 
inductively, using the fact that traces are finite objects. 

We have implemented the stable failures model and the failures, diver¬ 
gences and infinite traces (FDI) model of CSP in Agda, together with the 
corresponding refinement and equality relations. 

We extended the library CSP-Agda by implementing strong bisimilarity 
and divergent-respecting weak (DRW) bisimilarity in CSP-Agda. We have 
shown that processes bisimilar with respect to one of these two notions are 
trace equivalent, stable failures equivalent and FDI equivalent. We have as 
well shown that strong bisimilarity implies DRW bisimilarity. 

This makes it easier to develop proofs of algebraic properties for trace, 
stable failures, and FDI semantics, by showing that they are strongly or DRW 
bisimilar. As an example, we applied this methodology to proof algebraic 
laws according to this semantics. 

As a case study, we modelled a scenario from the railway domain in CSP 
and used FDR tools to check this model is free from deadlock, livelock, and 
to prove refinement statements. We used the ProBE tool and CSP-Agda- 
Simulator to simulate the model. We showed how to carry out proofs of 
refinement in CSP-Agda, although it would be more suitable to integrate 
model checkers into CSP-Agda in order to carry out such kind of proofs. 

We have therefore developed a library which allows to represent CSP 
processes, simulate them, together with their main semantics, and which 
allows to prove properties including proofs of algebraic laws with respect to 
the different semantics. 
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6 

Future Work 


We have developed elements of the European Rail Traffic Management Sys¬ 
tem ERTMS (ERTMS [2013]) in CSP, and we plan to implement those pro¬ 
cesses in CSP-Agda, and to prove safety, liveness, and refinement statements 
in CSP-Agda. This will require automated theorem proving techniques in 
order to carry out larger case studies. Here we could use Kanso’s PhD thesis 
Kanso [2012] (see as well Kanso and Setzer [2014]), in which he verified real- 
world railway interlocking systems in Agda. Verifying larger examples might 
require upgrading the integration of SAT solvers and model checkers into 
Agda2, which has been developed by Kanso [2012], to the current version of 
Agda, and to extend that work. 

What needs to be investigated, whether the integration of SAT solvers 
and model checkers into Agda by Kanso could be used to prove properties 
about CSP processes, especially in finite situations such as the processes oc¬ 
curring in chapter 11 in a better way. What needs to be explored is whether 
under certain conditions one can translate a refinement statement in CSP- 
Agda, we want to prove, into a model checking property. Then it might be 
possible to prove this model checking problem using a model checker and 
obtain the refinement statement in CSP-Agda directly. Proofs by hand in 
CSP-Agda could than we confined to generic problems (quantifying over ar¬ 
bitrary processes), whereas problems of hnite fixed processes could be solved 
automatically using model checking. We would obtain a library, which would 
allow to prove general algebraic properties, which cannot be shown by model 
checkers, interactively, while proving specific properties of hnite processes 
using model checkers automatically. A direct solution would be to integrate 
the CSP model checker FDR2 directly into Agda. 

The simple case study carried out showed that more optimisations need 
to be carried out for CSP-processes so that at least simple examples can 
be carried out by hand. Part of it is due to the fact that the efficiency 
of Agda’s type checker has room for improvements. In addition, we plan 
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to investigate, whether processes can be more optimised or the data type 
of processes improved, so that such simple proofs can be carried out easily 
by hand in a more transparent way. For instance it might be possible to 
automatically determine traces up to a number of steps, together with a 
correctness proofs, and use this to prove refinement in the various semantics 
of CSP. 

We have the vision to write prototypes of programs, e.g. of some elements 
of the ERTMS, in Agda and make them directly executable in Agda. For this, 
a major step for CSP-Agda, namely to be able to program directly with CSP 
processes in Agda, needs to be set up. Then we could use the fact that Agda 
is both a theorem prover and a dependently typed programming language, 
to have programs written and their correctness proofs in the same language, 
without the need to translate between different languages, and therefore the 
need to verify the correctness of such a translation. 

More proofs of algebraic laws need to be carried out as future work, in 
order to demonstrate that the robustness of our definitions. One important 
future work is to prove that operators such as external choice, interleaving, or 
monadic composition respect equalities with respect to the various semantics, 
especially DRW-bisimilarity. 

We plan to introduce a new type Process, which has as additional param¬ 
eter a code for a category of processes, i.e. +, p, or oo. Process-1- would then 
be Process +, Processoo would then be Process oo, and our original Process 
would now be Process p. This was actually a suggestion by of the anonymous 
referees for one of our papers. First experiments show that this could work 
and not lead to problems with the termination checker. 

What needs to be seen is whether CSP-Agda can be used for program¬ 
ming in Agda realistically. This could connect with the work by Abel et al. 
[2017, 2016] on implementing graphical user interfaces, which are concurrent 
in nature, in Agda. In general it seems that CSP is more used for mod¬ 
elling existing concurrent programs, and then determining properties of the 
original program, rather than writing programs directly in CSP. Frameworks 
exist for this such as JCSP (Welch, P. H. and Austin, P. D. [1999]) and 
CSP++ (Gardner [2000]), but we have not yet found good examples of ac¬ 
tually writing programs directly in those frameworks rather than using them 
for modelling behaviour. 

CSP-Agda-Simulator is a rather simple tool at the moment. What we 
plan is to combine it with an approach for representing GUIs in Agda by 
Abel et al. [2017, 2016], so that one can see several traces at the same time. 
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Appendix 


6 

<>Agda Code 


A.l addTick.agda 


--OPREFIXOaddtick 
module addTick where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 

mport Data.String renaming (_++_ to _++s_) 

mport Data.Fin 

mport Data.Sum 

mport process 

mport choiceSetU 

mport showFunction 

mport dataAuxFunction 

mport labelllniv 

mport showLabelP 

mport renamingResult 

mport internalChoice 


--@BEGIN@addtickDef 


2-/Str : {c 0 c\ : Choice} — >■ (a : ChoiceSet c 0 ) 

—> ( b : ChoiceSet c \) —> String 

2-/Str a b = "(2-/ "++s choice2Str a ++s " " ++s choice2Str b ++s ")" 

2-/ + : V {z} —> {c 0 Ci : Choice} — y (a : ChoiceSet c 0 ) 

—> {lu : LUniv} 

—)■ ( b : ChoiceSet ci) —>■ Process+ i {lu} (cq W ci) 
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o-o 


E 

(2-/ + a b) 

= 0’ 

Lab 

(2-/ + a b) 

0 

PE 

(2-/ + a b) 

0 

1 

(2-/ + a b) 

= 0’ 

PI 

(2-/ + a b) 

0 

T 

(2-/ + a b) 

= fin 2 

PT 

(2-/ + a b) 

zero = inji a 

PT 

(2-/ + a b) (sue 

zero) = inj 2 b 

PT 

(2-/ + a b) (sue 

(sue ())) 

Str+ 

(2-/ + a b ) 

= "(2-/ "++s choice2Str a ++s " 



" TTs choice2Str b ++s ") 

2-/ 

: V {z} —> {c 0 Ci 

: Choice} — )■ ( a : ChoiceSet c 0 ) —> {lu : LUniv} 


~>(b: 

ChoiceSet ci) —> Process i {lu} (c 0 ttl’ Ci) 


2-/ a b = node (2-/ + a b) 


2-/oo : V {z} —t {c 0 Ci : Choice} —t (a : ChoiceSet c 0 ) — > {lu : LUniv} 
—t (b : ChoiceSet ci) —t Processoo i {lu} (co l±l’ ci) 
forcep (2-/ oo a 6) = (2V a b) 

Stroo (2-/ oo a b) = 2-/Str a b 

--0END 

unifyAttlA : {A : Set} — A l±l A —> A 
unifyAttlA (injx a) = a 
unifyAttlA (inj 2 a) = a 


add/Str : V {c : Choice} — t (a : ChoiceSet c) 

—>■ String — >■ String 

add/Str a str = " (add/ " ++s choice2Str a ++s " 

" ++s str ++s ")" 


--@BEGIN@addTickPartOneDef 

mutual 


o 


-o 
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add/ oo : V {«} —» {c : Choice} — >■ (a : ChoiceSet c) —¥ {lu : LUniv} 
— > Processoo i {lu} c — >• Processoo z {/«} c 

forcep (add /oc a P) = add/ a (forcep P) 

Stroo (add /oo a P) = add/Str a (Stroo P) 

add/ : V {z} —> {c : Choice} —>• (a : ChoiceSet cH {/zz : LUniv} 

— Process i {lu} c —> Process i {lu} c 
add/ a (terminate b ) = fmap unifyAWA (2-/ a b ) 
add/ a (node P ) = node (add/ + a P) 


add/ + : V {z} —>■ {c : Choice} — >■ (a : ChoiceSet {lu : LUniv} 
—>■ Process+ i {lu} c —> Process/ i {lu} c 
E (add/ + a P) = E P 

Lab (add/ + a P) = Lab P 

PE (add/ + a P) s = add/ oo a (PE Ps) 

I (add/ + a P) = I P 

PI (add/ + a P) s = add/ oo a (PI Ps) 

T (add// a P) = T’ W T P 

PT (add/ + a P) (inji ) = a 
PT (add// a P) (inj 2 c) = PT P c 
Str+ (add/ + a P) = add/Str a (Str+ P) 


--0END 


--OBEGINOaddTimedDef 

addTimed/Str : {c : Choice} — y (a : ChoiceSet c) 

String — > String 

addTimed/Str a str = "(addTimed/ " ++s choice2Str a ++s " 

" ++s str ++s ")" 


mutual 

addTimed/oo : V {z} — > {c : Choice} — > (a : ChoiceSet c) —* {lu : LUniv} 

—> Processoo i {lu} c —> Processoo i {lu} c 
forcep (addTimed/oo a P) = addTimed/ a (forcep P) 

Stroo (addTimed/oo a P) = addTimed/Str a (Stroo P) 


a 


o 




282 


A.2. addTickOperator.agda 
o-o 


addTimed/ : V {z} —>• {c : Choice} — >• (a : ChoiceSet c) -/ {lu : LUniv} 

—>• Process i {lu} c —> Process z {//}- c 
addTimed/ a (terminate b) = fmap unifyAttlA (2-/ a b ) 
addTimed/ a (node P) = node (addTimed/ / a P) 


addTimed/ + : V {z} — > {c : Choice} — » (a : ChoiceSet c) —?• {lu : LUniv} 
— > Process/ i {lu} c 
— > Process/ i {lu} c 
E (addTimed// a P) = E P 
Lab (addTimed// a P) = Lab P 
PE (addTimed// a P) s = PE P s 
I (addTimed// a P) = I P 

PI (addTimed// a P) s = addTimed/oo a (PI P s ) 

T (addTimed// a P) = T' ttl' TP 
PT (addTimed// a P) (inj x _) = a 
PT (addTimed// a P) (inj 2 c) = PT P c 
Str/ (addTimed// a P) = addTimed/Str a (Str/ P) 


--(SEND 


A.2 addTickOperator.agda 


module addTickOperator where 

open import Size 
open import process 
open import choiceSetU 
open import primitiveProcess 
open import Data.Sum 

open import Data.String renaming (_//_ to _//s_) 
open import labelUniv 


choiceFunctionAddEI : {ca : Choice} -» (c : Choice) 

-/ (/: ChoiceSet c —> ChoiceSet ca) 
—>■ ChoiceSet ca 


a 
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—> ChoiceSet (fin 1 l±)' c) 

—)■ ChoiceSet ca 
choiceFunctionAddEI c f a (injx x) = a 
choiceFunctionAddEI cfa( inj 2 y) = f y 

mutual 

addTickStr : { ca : Choice} —> (c : Choice) 

—> (/: ChoiceSet c —> ChoiceSet ca) 

—> String —s- String 

addTickStr c f s = "Something" ++s s 

addTickoo : {ca : Choice} — >■ {i : Size} — >■ (c : Choice) 

—>■ {lu : LUniv} 

—>■ (/: ChoiceSet c — y ChoiceSet ca) 

— y Processoo i {lu} ca 
— y Processoo i {lu} ca 

forcep (addTickoo c f P) {j} = addTick c/( forcep P {}}) 
Stroo (addTickoo c f P) = addTickStr cf( Stroo P) 

addTick : {ca : Choice} — > {i : Size} — >■ (c : Choice) 

—>• {lu : LUniv} 

—>■ (/: ChoiceSet c —y ChoiceSet ca) 

—> Process i {lu} ca 
—> Process i {lu} ca 

addTick {ca} {«} c f (terminate a) = MSKIP i ca( fin 1 l±J’ c ) 

(choiceFunctionAddEI c f a) 
addTick c/( node Q) = node (addTick+ c f Q) 


addTick+ : {ca : Choice} — » {i : Size} — > (c : Choice) 
—$■ {lu : LUniv} 

—>• (/: ChoiceSet c —>■ ChoiceSet ca) 

—> Process+ i {lu} ca 
—> Process+ i {lu} ca 
E (addTick+ c f P) = E P 

Lab (addTick+ c f P) x = Lab P x 

PE (addTick+ c f P) x= PE P x 

I (addTick+ c f P) = I P 

PI (addTick+ c f P) x= PI Px 

T (addTick + c f P) = c t+J’ T P 

PT (addTick+ c f P) (inji x) =fx 


a 
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PT (addTick+ c f P) (inj 2 y) = PT P y 

Str+ (addTick+ c f P) = addTickStr c / (Str+ P) 

A. 3 auxData.agda 


--@PREFIX(Sauxdata 
module auxData where 

open import Data.Bool 

open import Data.String renaming (_==_ to _==strb_) 
open import Data.Product hiding ( _x_ ; E ) 
open import Level 

--(SBEGINGprod 

data _x_ (a b : Set) : Set where 
: a —> b —» a x b 


--(SEND 
infixr 5 _x_ 

proj! 1 : {A B : Set }{ab : A x B) —)■ A 

P roj! ’ (a „ b) = a 

proj 2 ’ : {A B : Set}(a6 : A x B) B 
proj 2 ’ (a „ b) = b 


data _Vs_ (a b : Set) : Set where 
ini : a a Vs b 
inr : b —> a Vs b 

--@BEGIN@subset 

data subset ( A : Set) (/ : A — > Bool) : Set where 
sub : (a : A) —» T (/ a) —>• subset A / 


--(SEND 


a 
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data _==_ {A : Set} (a : A) : A —» Set where 
refl : a == a 

--@BEGIN@seg 

record T. {a b } (A : Set a) (B : A —> Set b) : Set (a U b) where 
constructor 
field 

proji : A 
proj 2 : B proji 


--SEND 


A.4 auxLemmaPar. agda 


- -@PREFIX@auxleminapar 

module auxLemmaPar where 

-- uses normal label not labelUniv 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


mport process 
mport Size 
mport choiceSetU 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport lemFmap 
mport auxData 
mport dataAuxFunction 
mport Data.Product 
mport labelUniv 
mport parallelSimple 
mport restrict 
mport Data.Bool 


o 
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open import labelEq 

open import Agda.Builtin.Equality 

open import Agda.Builtin.Unit 

open import Data.Bool.Base renaming (T to T') 

open import Data.Unit.Base 

open import Data.Product 

--(SBEGINGlenmiaBool 

lemmaBool : (a b : Bool) — >■ T' ( a A b) — > T' a 
lemmaBool false b () 
lemmaBool true false () 
lemmaBool true true tt = tt 

lemmaBooIR : (a b : Bool) —> T’ ( a A b) —> T' b 

lemmaBooIR false false () 

lemmaBooIR true false () 

lemmaBooIR false true () 

lemmaBooIR true true tt = tt 


--(SEND 


- -@BEGIN@leminaBoolaux 

lemmaBool'aux : (a b c : Bool) 

— y T ( cl A b A c) — y T c 
lemmaBool’aux a b c p = let 

q : T’ ( b A c) 

q = lemmaBooIR a ( b A c) p 
in lemmaBooIR b c q 


--(SEND 


lemmaBool 

lemmaBool 

lemmaBool 

lemmaBool 

lemmaBool 

lemmaBool 

lemmaBool 


: (a b c : Bool) — >• T' ( a A b A c) —>■ T' c 

false false false () 

false false true () 

false true false () 

false true true () 

true false false () 

true false true () 


o 


-o 
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lemmaBool' true true false () 
lemmaBool’ true true true tt = tt 

lemmaBool” : (a b c : Bool) — >■ T' a —» T' b —» T’ c —> T' ( a A b A c) 
lemmaBool” false b c () x\ x 2 
lemmaBool” true false c x {) x 2 
lemmaBool” true true c x tt x 2 = £2 


A.5 bisimForNextProcess.agda 


--@PREFIX@bisimForNextProcess 


module bisimForNextProcess where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Empty 

mport Data.Unit 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport fdi 

mport fdi Refusal 

mport bisimilarity 

mport tracelmpliesTraceP 

mport Data.Bool hiding (T) 

mport fdi 

mport auxData 


--@BEGIN@BisimForNextP 


a 
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BisimForNextP : {lu : LUniv}{c : Choice} ( tick tick’ : Process oo { lu } c l±l ChoiceSet c) 

BisimForNextP { lu}{c } (inji P ) (injx P’) = Bisimw { 00 } P P’ 

BisimForNextP {lu}{c} (inji P ) (inj 2 x) = TerminateEquivalent x P 

BisimForNextP { lu}{c } (inj 2 x) (inji P) = TerminateEquivalent x P 

BisimForNextP { lu}{c } (inj 2 x) (inj 2 x’) = x= x’ 


--(SEND 


mutual 

lemmaTraceTerminationEquivalentEmpty+' : {lu : LUniv}(c : Choice) ( l : List (Label lu)) 

(P’ : Process- 1 - 00 c)(Q : Process 00 {lu} c l±) 
(a : ChoiceSet c) 

(nodexTerEquiv : TerminateEquivalent a (node 
(tr : TrP-F l Q P’) 
l = [] 

lemmaTraceTerminationEquivalentEmpty+’ c .[] P’ .( inj x (node P’)) a nodexTerEquiv empty 
lemmaTraceTerminationEquivalentEmpty+’ c .(Lab P’ x :: l) P’ Q a (termeqnode terequivP) 

= _L-elim (noExtChoice terequivP x) 

lemmaTraceTerminationEquivalentEmpty+' c l P’ Q a nodexTerEquiv (intc .1 .Q x x\) 

= lemmaTraceTerminationEquivalentEmpty' c l P’ Q a nodexTerEquiv (tnode (intc l Q 
lemmaTraceTerminationEquivalentEmpty+’ c .[] P’ .( inj 2 (PT P’ x)) a nodexTerEquiv (terc a 
= refl 


lemmaTraceTerminationEquivalentEmpty’ : {lu : LUniv}(c : Choice) (l : List (Label lu)) 

( P’ : Process-P 00 c)(Q : Process 00 {lu} c l±l 
(a : ChoiceSet c) 

( nodexTerEquiv : TerminateEquivalent a (node 
(tr : TrP l Q (node P’)) 

->■/=[] 

lemmaTraceTerminationEquivalentEmpty' c .[] P’ . (inji (node P’)) a nodexTerEquiv 
(tnode empty) = refl 

lemmaTraceTerminationEquivalentEmpty' c .(Lab P’ x :: l) P’ Q a (termeqnode terequivP) (t 

= _L-elim (noExtChoice terequivP x) 

lemmaTraceTerminationEquivalentEmpty’ cl P’ Q a (termeqnode terequivP) (tnode (intc .1 .1 
= lemmaTraceTerminationEquivalentEmptyoo' c l (PI P’ x) Q a (onlylntChoice terequivP x 
lemmaTraceTerminationEquivalentEmpty’ c .[] P’ . (inj 2 (PT P’ x)) a nodexTerEquiv (tnode ( 


lemmaTraceTerminationEquivalentEmptyoo’ : {lu : LUniv}(c : Choice) (l : List (Label lu)) 

(P’ : Processoo 00 c)(Q : Process 00 {lu} c l±l 


o 
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(a : ChoiceSet c) 

(nodexTerEquiv : TerminateEquivalent a (forcep P’)) 
(tr : TrPoo l Q P’) 

->/=[] 

lemmaTraceTerminationEquivalentEmptyoo’ c l P’ Q a nodexTerEquiv tr 

= lemmaTraceTerminationEquivalentEmpty” c l (forcep P’) Q a nodexTerEquiv tr 


lemmaTraceTerminationEquivalentEmpty” : {lu : LUniv}(c : Choice) (l: List (Label lu)) 

(P’ : Process oo {lu} c)(Q : Process oo {lu} c l±) Choic 
(a : ChoiceSet c) 

(nodexTerEquiv : TerminateEquivalent a P’) 

(tr : TrP IQ P) 

->/=[] 

lemmaTraceTerminationEquivalentEmpty” c .[] .(terminate x) . (inj 2 x) a nodexTerEquiv (ter x) = refl 
lemmaTraceTerminationEquivalentEmpty” c .[] .(terminate x) .( inji (terminate x )) a nodexTerEquiv (e 
lemmaTraceTerminationEquivalentEmpty” c l .(node P’) Q a nodexTerEquiv (tnode {./} {.Q} {P’} a;) 
= lemmaTraceTerminationEquivalentEmpty’ cl P’ Q a nodexTerEquiv (tnode x) 


mutual 

termequivPToTicknode 2 : {lu : LUniv}{c : Choice}(y : ChoiceSet c)(P : Process oo {lu} c) 

(l: List (Label lu)) (m : Process oo {lu} c l±J ChoiceSet c) 

( terequivP : TerminateEquivalent y P) (tr : TrP l m P) 

—>■ TrP l (injx (terminate y)) (terminate y) 

termequivPToTicknode 2 y (terminate .y) .[] (injx (terminate .y)) termeqterm (empty .y) = empty y 
termequivPToTicknode 2 y (terminate .y) l (injx (node x)) termeqterm () 
termequivPToTicknode 2 y (terminate .y) .[] (inj 2 .y) termeqterm (ter .y) = empty y 
termequivPToTicknode 2 y (node x) l m terequivP (tnode tr) = termequivPToTicknode 2 + y x l m tere 

termequivPToTicknode 2 + : {lu : LUniv}{c : Choice}(y : ChoiceSet c)(P : Process+ oo c) 

(l : List (Label lu)) (m : Process oo {lu} c l±J ChoiceSet c) 
(terequivP : TerminateEquivalent y (node P)) (tr : TrP+ l m P) 

—> TrP l (injx (terminate y)) (terminate y) 

termequivPToTicknode 2 + y P .[] .(injx (node P)) (termeqnode terequivP) empty = empty y 
termequivPToTicknode 2 + y P .(Lab P x :: /) m (termeqnode terequivP) (extc l .m x X\) 

= _L-elim (noExtChoice terequivP x) 


a 
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termequivPToTicknode 2 + y P l m (termeqnode terequivP ) (intc .1 .m x xQ 

= termequivPToTicknode 2 oo y (PI P x) l m (onlylntChoice terequivP x) Xi 
termequivPToTicknode 2 + y P .[] .( inj 2 (PT P x)) (termeqnode terequivP) (terc x) = empty i 

termequivPToTicknode 2 oo : {lu : LUniv}{c : Choice}(y : ChoiceSet c)(P : Processoo oo c 

(l : List (Label lu)) (m : Process oo {lu} c l±l ChoiceSet c) 

( terequivP : TerminateEquivalentoo y P) (tr : TrPoo l m P) 

—>■ TrP l (injx (terminate y)) (terminate y) 

termequivPToTicknode 2 oo y P l m terequivP tr = termequivPToTicknode 2 y (forcep P) l m t 


termequivPToTickooi : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Processoo oo c)(termt 

—*■ Process oo {lu} c l±) ChoiceSet c 

termequivPToTickooi {lu}{c} x P termequivP = termequivPToTicki x (forcep P) te 

termequivPToTicki : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Process oo {lu} c)(termt 

—> Process oo {lu} c l±J ChoiceSet c 
termequivPToTick! {lu}{c} x .(terminate x) termeqterm = inj 2 x 
termequivPToTicki V u }{ c } x -(node Q) (termeqnode termequivQ) 

= termequivPToTickiaux {lu}{c} x Q termequivQ (hasTauOrTick termequivQ) 

termequivPToTickiaux : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(Q : Process+ oo c) 

( termequivQ : TerminateEquivalent+ x Q) 

( hastauortick : ChoiceSet (I Q) l±l ChoiceSet (T Q) ) 

—>■ Process oo {lu} c l±l ChoiceSet c 
termequivPToTickiaux {lu}{c} x Q termequivQ (inji ip) 

= termequivPToTickooi x (PI Q w) (onlylntChoice termequivQ ip) 

termequivPToTickiaux {lu}{c} x Q termequivQ (inj 2 t) = inj 2 (PT Q t) 


termequivPToTickoo 2 : {lu : LUniv}{c : Choice}(a; : ChoiceSet c)(P : Processoo oo c) 

(termequivP : TerminateEquivalentoo x P) 

TrPoo [] (termequivPToTickooi x P termequivP) P 

termequivPToTickoo 2 {lu}{c} x P termequivP = termequivPToTick 2 x (forcep P) te 


termequivPToTick 2 : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Process oo {lu} c) 

(termequivP : TerminateEquivalent x P) 


o 
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—y TrP [] (termequivPToTicki { lu}{c} x P termequivP ) P 
termequivPToTick 2 x .(terminate x) termeqterm = ter x 

termequivPToTick 2 x .(node Q ) (termeqnode {Q} termequivQ) 

= termequivPToTick 2 aux {lu}{c} x Q termequivQ (hasTauOrTick termequivQ) 

termequivPToTick 2 aux : {lu : LUniv}{c : Choice}(a; : ChoiceSet c)(Q : Process+ oo c) 

( termequivQ : TerminateEquivalent+ x Q) 

( hastauortick : ChoiceSet (I Q) l±l ChoiceSet (T Q) ) 

—» TrP [] (termequivPToTickiaux {lu}{c} x Q termequivQ hastauortick) 
termequivPToTick 2 aux {lu}{c} x Q termequivQ (inji ip) 

= tnode (intc [] (termequivPToTickiaux x Q termequivQ (inji ip)) ip 

(termequivPToTickoo 2 x (PI Q ip) (onlylntChoice termequivQ ip))) 

termequivPToTick 2 aux {lu}{c} x Q termequivQ (inj 2 t) = tnode (terc t) 


termequivPToTickoo 3 : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Processoo oo c) 

(termequivP : TerminateEquivalentoo x P) 

— y BisimForNextP (termequivPToTickooi {lu}{c} x P termequivP) (inj 2 x) 
termequivPToTickoo 3 { lu}{c } x P termequivP = termequivPToTick 3 {/?/}{c} x (forcep P) termequiv, 


termequivPToTick 3 : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Process oo {lu} c) 

(termequivP : TerminateEquivalent x P) 

—> BisimForNextP (termequivPToTickx {lu}{c} x P termequivP) (inj 2 x) 
termequivPToTick 3 {lu}{c} x .(terminate x) termeqterm = refl 

termequivPToTick 3 {lu}{c} x .(node Q) (termeqnode {Q} termequivQ) = termequivPToTick 3 aux {lu 


termequivPToTick 3 aux : {lu : LUniv}{c : Choice}(a; : ChoiceSet c)(Q : Process+ oo c) 

(termequivQ : TerminateEquivalent+ x Q) 

(hastauortick : ChoiceSet (I Q) l±l ChoiceSet (T Q) ) 

—y BisimForNextP (termequivPToTickiaux {lu}{c} x Q termequivQ hastauc 
termequivPToTick 3 aux {lu}{c} x Q termequivQ (inji ip) 

= termequivPToTickoo 3 {Fu}{c} x (PI Q ip) (onlylntChoice termequivQ ip) 
termequivPToTick 3 aux {lu}{c} x Q termequivQ (inj 2 t) rewrite termlsa termequivQ t = refl 


a 
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termequivPToTickcx)i' : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Processoo oo c) 

(termequivP : TerminateEquivalentoo x P) 

—> Process oo {lu} c l±) ChoiceSet c 

termequivPToTickooi’ {lu}{c} x P termequivP = termequivPToTicki' x (forcep P) termequi 


termequivPToTicki’ : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Process oo {lu} c ) 

(termequivP : TerminateEquivalent x P ) 

—» Process oo {lu} c l±) ChoiceSet c 

termequivPToTicki' x (terminate .x) termeqterm = inji (terminate x) 

termequivPToTicki' x (node Q ) (termeqnode termequivQ) 

= termequivPToTickiaux” x Q termequivQ (hasTauOrTick termequivQ) 

termequivPToTickiaux” : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(Q : Process+ oo c) 

( termequivQ : TerminateEquivalent+ x Q) 

( hastauortick : ChoiceSet (I Q) l±l ChoiceSet (T Q) ) 

—> Process oo {lu} c l±J ChoiceSet c 
termequivPToTickiaux” {lu}{c} x Q termequivQ (inji ip) 

= termequivPToTickooi' x (PI Q ip) (onlylntChoice termequivQ ip) 

termequivPToTickiaux” {dx}{c} x Q termequivQ (inj2 t) = inj2 (PT Q t) 


termequivPToTick 2 ’ : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Process oo {lu} c) 

( termequivP : TerminateEquivalent x P) 

—> TrP [] (termequivPToTicki’ x P termequivP) P 

termequivPToTick 2 ’ {lu}{c} x .(terminate x) termeqterm = empty x 
termequivPToTick 2 ’ {/'«}{c} x .(node Q) (termeqnode {Q} termequivQ) 

= termequivPToTick 2 aux’ {lu}{c} x Q termequivQ (hasTauOrTick termequivQ) 

termequivPToTick 2 aux’ : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(Q : Process+ oo c) 

( termequivQ : TerminateEquivalent+ x Q) 

( hastauortick : ChoiceSet (I Q) l±l ChoiceSet (T Q) ) 

-->■ TrP [] (termequivPToTickiaux” {lu}{c} x Q termequivQ haste 
termequivPToTick2aux’ x Q termequivQ (inji %i) 

= tnode (intc [] (termequivPToTickiaux” x Q termequivQ (inji £1)) x\ 
(termequivPToTickoo2’ x (PI Q x\) (onlylntChoice termequivQ xi))) 
termequivPToTick 2 aux’ x Q termequivQ (inj 2 t) = tnode (terc t) 


o 
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termequivPToTickoo 2 ' : {lu : LUniv}{c : Choice}(a; : ChoiceSet c)(P : Processoo oo c) 

(termequivP : TerminateEquivalentoo x P) 

—> TrPoo [] (termequivPToTickooi’ x P termequivP) P 

termequivPToTickoo 2 ' x P termequivP = termequivPToTick 2 ' {lu}{c} x (forcep P) termequi 


termequivPToTickoo 3 ’ : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(P : Processoo oo c) 

(termequivP : TerminateEquivalentoo x P) 

—>■ BisimForNextP (termequivPToTickooi' x P termequivP ) (inji (t< 

termequivPToTickoo 3 ' x P termequivP = termequivPToTick 3 ' x (forcep P) termequivP 


termequivPToTick 3 ’ : {lu : LUniv}{c : Choice}(a: : ChoiceSet c)(P : Process oo {lu} c ) 

(termequivP : TerminateEquivalent x P) 

—> BisimForNextP (termequivPToTicki’ x P termequivP) (inji (tern 

termequivPToTick 3 ’ {lu}{c} x .(terminate x) termeqterm = eqterminate termeqterm 
termequivPToTick 3 ’ x .(node Q) (termeqnode {Q} termequivQ) 

= termequivPToTick 3 aux' x Q termequivQ (hasTauOrTick termequivQ) 


termequivPToTick 3 aux' : {lu : LUniv}{c : Choice}(x : ChoiceSet c)(Q : Process+ oo c) 

(termequivQ : TerminateEquivalent+ x Q) 

(hastauortick : ChoiceSet (I Q) l±l ChoiceSet (T Q) ) 

—> BisimForNextP (termequivPToTickiaux” {lu}{c} x Q termequivQ hastau 
termequivPToTick 3 aux' {lu}{c} x Q termequivQ (inji ip) 

= termequivPToTickoo 3 ' {lu}{c} x (PI Q ip) (onlylntChoice termequivQ ip) 
termequivPToTick 3 aux' {lu}{c} x Q termequivQ (inj 2 t) rewrite (termlsa termequivQ t) = termeqtern 


mutual 

termEquivPr+ : {lu : LUniv}(c : Choice)(/ : List (Label lu))(y : ChoiceSet c)(P’: Process+ oo c) 

( a : ChoiceSet c) ( terequivP : TerminateEquivalent+ a P’) 

(tr : TrP+ l (inj 2 y) P’) 

-»■ a=y 

termEquivPr+ c .(Lab P’ x :: l) y P’ a terequivP (extc l .( inj 2 y) x xQ 
= _L-elim (noExtChoice terequivP x) 
termEquivPr+ c l y P’ a terequivP (intc .1 .( in j 2 y) x tr) 

= termEquivPr c l y P’ a (termeqnode terequivP) (tnode (intc l (inj 2 y) x tr)) 


a 
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termEquivPr+ c .[] .(PT P’ x) P’ a terequivP (terc x ) = termlsa terequivP x 

termEquivPr : {lu : LUniv}(c : Choice)(/ : List (Label lu))(y : ChoiceSet c)(P’ : Process+ c 

( a : ChoiceSet c) ( terequivP : TerminateEquivalent a (noc 
(tr : TrP l (inj 2 y) (node P’)) 

->■ a = y 

termEquivPr c .(Lab P’ x :: /) y P’ a (termeqnode terequivP) (tnode (extc l .( inj 2 y) x xi)) 

= _L-elim (noExtChoice terequivP x) 

termEquivPr c l y P’ a (termeqnode terequivP) (tnode (intc .1 .( in j 2 y) x X\)) 

= termEquivProo c l y (PI P’ x) a (onlylntChoice terequivP x) x\ 

termEquivPr c .[] .(PT P’ x) P’ a (termeqnode terequivP) (tnode (terc x)) = termlsa terequi' 

termEquivProo : {lu : LUniv}(c : Choice)(/ : List (Label lu))(y : ChoiceSet c)(P’ : Processor 

(a : ChoiceSet c) ( terequivP : TerminateEquivalent a (for< 
(tr : TrPoo l (inj 2 y) P’) 

->■ a= y 

termEquivProo c l y P’ a terequivP tr = termEquivPr’ c l y (forcep P’) a terequivP tr 

termEquivPr’ : {lu : LUniv}(c : Choice)(/ : List (Label lu))(y : ChoiceSet c)(P ’: Process c 

(a : ChoiceSet c) (terequivP : TerminateEquivalent a P’) 
(tr : TrP l (inj 2 y) P’) 

-> a= y 

termEquivPr' c .[] y .(terminate y) .y termeqterm (ter .y) = refl 

termEquivPr' c l y .(node P’) a terequivP (tnode {./} {.( inj 2 y)} {P } tr) = termEquivPr c l 


mutual 

termEquivPreservedByTrace+ : {lu : LUniv}(c : Choice)(/ : List (Label lu))(P’: Proces 

(Q : Process oo {lu} c)(a : ChoiceSet c) 

(terequivP : TerminateEquivalent+ a P’) 

(tr : TrP+ l (inji Q) P’) 

—> TerminateEquivalent a Q 

termEquivPreservedByTrace+ c .[] P’ .(node P’) a terequivP empty = termeqnode terequivP 
termEquivPreservedByTrace+ c .(Lab P’ x :: l) P’ Q a terequivP (extc l .(inji Q) x x\) = _L-< 
termEquivPreservedByTrace+ cl P’ Q a terequivP (intc .1 .(inji Q) x tr) 

= termEquivPreservedByTrace c l P’ Q a (termeqnode terequivP) (tnode (intc l (injx Q) x 

termEquivPreservedByTrace : {lu : LUniv}(c : Choice)(/ : List (Label lu))(P’ : Processq 


o 
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(Q : Process oo { lu } c)(a : ChoiceSet c) 

(terequivP : TerminateEquivalent a (node P’)) 

(tr : TrP l (injx Q) (node P ’)) 

—> TerminateEquivalent a Q 

termEquivPreservedByTrace c .[] P’ .(node P’) a (termeqnode terequivP) (tnode empty) = termeqnod 
termEquivPreservedByTrace c .(Lab P’ x :: l) P’ Q a (termeqnode terequivP) 

(tnode (extc l .( inj! Q) x X\)) = _L-elim (noExtChoice t 
termEquivPreservedByTrace c l P’ Q a (termeqnode terequivP) (tnode (intc .1 .( inj x Q) x tr)) 

= termEquivPreservedByTraceoo c l (PI P’ x) Q a (onlylntChoice terequivP x) tr 

termEquivPreservedByTraceoo : {lu : LUniv}(c : Choice)(/ : List (Label lu))(P’: Processoo oo c 

(Q : Process oo { lu } c)(a : ChoiceSet c) 

(terequivP : TerminateEquivalent a (forcep P’)) 

(tr : TrPoo l (injx Q) P’) 

TerminateEquivalent a Q 

termEquivPreservedByTraceoo cl P’ Q a terequivP tr = termEquivPreservedByTrace’ c l (forcep P’) 

termEquivPreservedByTrace’ : {lu : LUniv}(c : Choice)(/ : List (Label lu))(P ’: Process oo {lu 

(Q : Process oo {lu} c)(a : ChoiceSet c) 

(terequivP : TerminateEquivalent a P’) 

(tr : TrP l (inji Q) P’) 

—> TerminateEquivalent a Q 

termEquivPreservedByTrace' c .[] .(terminate x) .(terminate x) a terequivP (empty x) = terequivP 
termEquivPreservedByTrace' c l .(node P’) Q a terequivP (tnode {./} {.(inji Q)} {P’} x) 

= termEquivPreservedByTrace c l P’ Q a terequivP (tnode x) 


mutual 

--@BEGIN@bisimTraceTrPoneinf 

bisimTraceTrPooi : {lu : LUniv}{c : Choice}(P P ’: Processoo oo c) 

(PP’ : Bisimwoo {oo} P P’)(l : List (Label lu)) 
(tick : Process oo {lu} c l±J ChoiceSet c) 

(tr : TrPoo l tick P ) 

—> Process oo {lu} c l±J ChoiceSet c 
bisimTraceTrPooi P P’ PP’ l x tr = bisimTraceTrPi (forcep P) 

(forcep P’) 

( forceB PP’) 


a 


o 
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l x tr 


--(SEND 


--(SBEGINGbisimTraceTrPtwoinf 

bisimTraceTrPoo 2 : {lu : LUniv}{c : Choice}(P P ’: Processoo oo c) 

(PP’: Bisimwoo {00} P P’)(l : List (Label lu)) 
(tick : Process oo {lu} c l±l ChoiceSet c) 

(tr : TrPoo l tick P’) 

— y TrPoo l (bisimTraceTrPooi P P’ PP’ l tick tr) P 
bisimTraceTrPoo2 P P’ PP’ l x tr = bisimTraceTrP 2 (forcep P) 

( force p P’) 

(forceB PP’) 
l x tr 


--(SEND 


-@BEGIN(SbisimTraceTrPthreeinf 


bisimTraceTrPoo3 : {lu : LUniv}{c : Choice}(P P’ : Processoo oo c) 

(PP’: Bisimwoo {00} P P’)(l : List (Label lu)) 
(tick : Process 00 {lu} c l±l ChoiceSet c) 

(tr : TrPoo l tick P ) 

BisimForNextP (bisimTraceTrPooi P P’ PP’ l tick tr) tick 
bisimTraceTrPoo3 P P’ PP’ l x tr = bisimTraceTrP 3 (forcep P) 

(forcep P’) 

(forceB PP’) 
l x tr 


--(SEND 


--(SBEGINGbisimTraceTrPone 

bisimTraceTrPx : {lu : LUniv}{c : Choice}(P P’ : Process 00 {lu} c) 
(PP’ : Bisimw {00} P P’) 

(l: List (Label lu)) 

(tick : Process 00 {lu} c l±J ChoiceSet c) 

(tr : TrP l tick P’) 

Process 00 {lu} c l±l ChoiceSet c 
bisimTraceTrPi .(terminate y) (terminate x)(eqterminate {y} x\) 


<y 


-o 
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.[] .(inj-2 x ) (ter .x) = inj 2 y 

bisimTraceTrPx P (terminate x) (eqterminater termequivP) 

.[] . ( inj 2 x) (ter .x) = 
termequivPToTickx x P termequivP 
bisimTraceTrPi .(terminate y) (terminate x) 

(eqterminate {y} x\) .[] 

.(injx (terminate a;))(empty .x) 

= injx (terminate y ) 

bisimTraceTrPx P (terminate x) (eqterminater termequivP ) .[] 

.( inji (terminate x)) (empty .x) = 
termequivPToTickx' x P termequivP 
bisimTraceTrPx .(terminate a) (node P’) 

(eqterminate {a} nodexTerEquiv) 
l (injx x) (tnode tr) = injx (terminate a) 
bisimTraceTrPx .(terminate a) (node P’) 

(eqterminate {a} nodexTerEquiv) 
l ( i n j2 y) (tnode tr) = inj 2 a 
bisimTraceTrPx (node P) (node P’) 

(eqnode {P} PP’) l tick 

(tnode tr) = bisimTraceTrPi+ P P’ PP’ l tick tr 


--(SEND 


--@BEGIN@bisimTraceTrPtwo 

bisimTraceTrP 2 : { lu : LUniv}{c : Choice} 

(P P’ : Process oo { lu } c) 

{PP’ : Bisimw {oo} P P) 

(l : List (Label lu)) 

( tick : Process oo {lu} c l±J ChoiceSet c) 

( tr : TrP l tick P’) 

—> TrP l (bisimTraceTrPx P P’ PP’ l tick tr) P 
bisimTraceTrP 2 .(terminate y) .(terminate x) 

(eqterminate {y} x\) 

.[] . (inj 2 x) (ter x) = ter y 
bisimTraceTrP 2 P .(terminate x) 

(eqterminater termequivP) 

.[] - ( i nj 2 x) 

(ter x) = termequivPToTick 2 x P termequivP 
bisimTraceTrP 2 .(terminate y) .(terminate x) 

(eqterminate {y} x\) 


a 
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bisimTraceTrP 2 


bisimTraceTrP 2 


bisimTraceTrP 2 


bisimTraceTrP 2 


[] .(inji (terminate x))(empty x) = empty y 
P .(terminate x) 

(eqterminater termequivP) .[] 

(injx (terminate x)) (empty x) = 
termequivPToTick 2 ’ x P termequivP 
{lu } {c} .(terminate a) .(node P’) 

(eqterminate {a} termequivP) l 

(injx x) (tnode {./} {.(injx x)} {P’} tr) 

rewrite 

( lemmaTraceTerm ination Equivalent Em pty+’ 
c l P’ (injx x) a termequivP tr) = empty a 
{lu}{c} .(terminate a) .(node P’) 

(eqterminate {a} termequivP) l 

(inj 2 y) (tnode {./} {.(inj 2 y)} {P’} tr) 

rewrite 

(lemmaTraceTerminationEquivalentEmpty+’ c l P’ 
(inj 2 y) a termequivP tr) = ter a 
{/n}{c} .(node P) .(node P’) 

(eqnode {P} {P’} PP’) l tick 
(tnode tr) = 

tnode (bisimTraceTrP 2 + P P’ PP’ l tick tr) 


--(SEND 


--@BEGIN@bisimTraceTrPthree 

bisimTraceTrP 3 : {lu : LUniv}{c : Choice} 

( P P’ : Process oo {lu} c) 

(PP’ : Bisimw {00} P P’) 

(l: List (Label lu)) 

(tick : Process 00 {lu} c l±) ChoiceSet c) 

(tr : TrP l tick P’) 

—> BisimForNextP 

(bisimTraceTrPx P P’ PP’ l tick tr) tick 
bisimTraceTrP 3 .(terminate x) (terminate x) 

(eqterminate {.2;} termeqterm) 

.[] . ( inj 2 x) (ter .x) = refl 
bisimTraceTrP 3 P (terminate x) 

(eqterminater termequivP) .[] .( inj 2 x) 

(ter .x) = termequivPToTick 3 x P termequivP 
bisimTraceTrP 3 .(terminate x) (terminate 2;) 


o 
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bisimTraceTrP 3 


bisimTraceTrP 3 


bisimTraceTrP 3 


bisimTraceTrP 3 


(eqterminate {.x} termeqterm) .[] 

.( inj! (terminate x)) 

(empty . x ) = eqterminate termeqterm 
P (terminate x) 

(eqterminater termequivP ) .[] 

.(inji (terminate x)) (empty .x) = 

termequivPToTick 3 ’ x P termequivP 
{£u}{c} .(terminate a) (node P’) 
(eqterminate {a} (termeqnode terequivP )) 
l (inji Q ) (tnode tr ) = eqterminate 
(termEquivPreservedByTrace+ 
c l P’ Q a terequivP tr) 

{lu}{c} .(terminate a) (node P’) 
(eqterminate {a} (termeqnode terequivP)) 
l ( i n j2 y) (tnode tr) = 
termEquivPr+ c l y P’ a terequivP tr 
.(node P) (node P’) 

(eqnode {P} PP’) l tick 
(tnode tr) = 

bisimTraceTrP 3 + P P’ PP’ l tick tr 


--(SEND 


--@BEGIN@bisimTraceTrPoneplus 

bisimTraceTrPi+ : {lu : LUniv}{c : Choice} 

(P P’: Process-)- oo c) 

(PP’ : Bisimw+ {oo} P P’) 

(l : List (Label lu)) 

(tick : Process oo { lu } c l±J ChoiceSet c) 
(tr : TrP+ l tick P’) 

—> Process oo {lu} c l±l ChoiceSet c 
bisimTraceTrPi+ P P’ PP’ .[] .(inji (node P’)) empty = 

(inji (node P)) 

bisimTraceTrPi-l- P P’ PP’ 

.(Lab P’ x :: l) tick (extc l .tick x tr) = 
bisimTraceTrPooi R R’ RR’ l tick tr 
module bisimETraceTrPi+auxmodule where 
R' : Processoo oo c 
R’ = PE P’x 


a 
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R : Processoo oo c 
R = bisimEP’r PP’ x 

RR' : Bisimwoo {00} R R' 

RR' = bisimEnextr PP’ x 

bisimTraceTrP 1 + {/n}{c} P P’ PP’ l tick 
(intc .1 .tick iii) = 
bisimTraceTrPoo! R R’ RR’ l tick x\ 
module bisimITraceTrPi+auxmodule where 
R' : Processoo oo c 
R’ = PI P’x 


R : Processoo oo c 
R = bisimIP’r PP’ x 

RR' : Bisimwoo {oo} R R’ 

RR' = bisimlnextr PP’ x 

bisimTraceTrPi+ P P’ PP’ .[} ,(inj 2 (PT P’x)) 
(terc x) = inj 2 (PT P’ x) 


--(SEND 


--@BEGIN@bisimTraceTrPtwoplus 

bisimTraceTrP 2 + : {lu : LUniv}{c : Choice} 

(P P’ : Process- 1 - oo c) 

(PP’ : Bisimw+ {oo} P P’) 

(l: List (Label lu)) 

(tick : Process oo {lu} c l±l ChoiceSet c) 

(tr : TrP+ l tick P’) 

—> TrP+ l (bisimTraceTrPi-|- P P’ PP’ l tick tr) P 
bisimTraceTrP 2 + P P’ PP’ .[] .( inj x (node P’)) empty = empty 

bisimTraceTrP 2 + V u }{c} P P’ PP’ .(Lab P’ x :: l) 

tick (extc l .tick x tr\ ’) = tr 
module bisimETraceTrP 2 +auxmodule where 
R’ : Processoo oo c 
R’ = PE P’x 


R : Processoo oo c 


a 
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R = bisimEP’r PP’ x 

RR' : Bisimwoo {00} R R' 

RR’ = bisimEnextr PP’ x 

Rhat : Process oo { lu } c l±l ChoiceSet c 
Rhat = bisimTraceTrPi (forcep R) 

(forcep (PE P’ x)) (forceB RR’) l tick tri ’ 
tr x : P —)•+*[ Lab P’ x :: [] ] (forcep R) 
tri = bisimEtrr PP’ x 

tr 2 : TrPoo { lu}{c } l Rhat R 
tr 2 = bisimTraceTrP 2 (forcep R) (forcep (PE P’ x)) 
(forceB RR') l tick tri ’ 

tr : TrP+ (Lab P’ x :: l) Rhat P 

tr = trPAppendTrw+ c P (forcep R) (Lab P’ x :: []) l 

Rhat t^ tr 2 

bisimTraceTrP 2 + {/n}{c} P P’ PP’ l 

tick (intc .1 .tick x tr 2 ’) = tr 
module bisimlTraceTrP 2 +auxmodule where 
R' : Processoo oo c 

R’ = PI P’x 

R : Processoo oo c 

R = bisimIP’r PP’ x 

RR’ : Bisimwoo {oo} R R' 

RR’ = bisimlnextr PP’ x 


Rhat : Process oo {lu} c l±) ChoiceSet c 
Rhat = bisimTraceTrPi (forcep (bisimIP'r PP’ x)) 
(forcep (PI P’x)) 

(forceB (bisimlnextr PP’ x)) l tick tr 2 ’ 

tri : P — >+*[ [] ] (forcep R) 
tri = bisimltrr PP’ x 


a 


tr 2 : TrP l Rhat (forcep R) 
tr 2 = bisimTraceTrP 2 (forcep R) 


o 




302 


A. 5 . bisimForNextProcess.agda 
o-o 


(forcep (PI P’ x)) 

(forceB (bisimlnextr PP’ x)) l tick tr 2 ’ 

tr : TrP+ l Rhat P 

tr = trPAppendTrw+ c P 

(forcep R) [] l Rhat tri tr 2 

bisimTraceTrP 2 + {lu}{c} P P’ PP ’ .[] 

.(inj 2 (PT P’ x)) (terc x) = tr 3 

where 

tn : TrP+ [] (inj 2 (PT P’x)) P 
tri = bisimTtrr PP’ x 


--@END 


--@BEGIN@bisimTraceTrPthreeplus 


bisimTraceTrP 3 + : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo c) 

(PP’ : Bisimw+ {00} P P’) 

(l : List (Label lu)) 

( tick : Process 00 {lu} c l±l ChoiceSet c) 
(tr : TrP+ l tick P’) 

—y BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l tick tr) tick 
bisimTraceTrP 3 + P P’ PP’. [] . ( inj 1 (node P’)) 

empty = eqnode PP’ 
bisimTraceTrP 3 + P P’PP’ 


.(Lab P’ x :: l) (inj 3 X\) 

(extc l .( inj 1 x\) x x 2 ) = 
bisimTraceTrP 3 (forcep 
(bisimETraceTrPi+auxmodule.R P’ l x 
(inji xi) P PP’ x 2 )) (forcep (PE P’ x)) 

(forceB (bisimETraceTrPi+auxmodule.RR’ 
P’lx( inji x\) P PP’x 2 )) l 
(inji xi) x 2 

bisimTraceTrP 3 + P P’ PP’ (Lab P’ x :: l) (inj 2 y) 

(extc l . (inj 2 y) x x { ) = 
bisimTraceTrP 3 

(forcep (bisimETraceTrPi+auxmodule.R P’ l x 


O 


o 
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(inj 2 y) P PP’ ti)) (forcep (PE P’ x)) 

(forceB (bisimETraceTrPi+auxmodule.RR' 

P’ l x (inj 2 y) P PP’ xi)) l (inj 2 y) x 1 
bisimTraceTrP 3 + P P’ PP’ l (inji x ) 

(intc .1 .(inji x) x\ X2) = 
bisimTraceTrP 3 

(forcep (bisimlTraceTrPi+auxmodule.R l 
(inji x) P’ P PP’ Xi X2)) 

(forcep (PI P’ xi)) 

(forceB (bisimITraceTrPi+auxmodule.RR' l 
(inji x) P’ P PP’ x\ x 2 )) l (inji x) x 2 

bisimTraceTrP 3 + {^}{ c } P P’ PP’ l 0 n j 2 y) (intc .1 .(inj 2 y ) x x\) = 

bisimTraceTrP 3 

(forcep (bisimITraceTrPi+auxmodule.R l (inj 2 y) P’ 
P PP’ xx 1)) 

(forcep (PI P’ x)) 

(forceB (bisimITraceTrPi+auxmodule.RR' l (inj 2 y) 
P’ P PP’ x x x )) l (inj 2 y) xx 

bisimTraceTrP 3 + {lu}{c} P P’ PP’ .[] . ( inj 2 (PT P’ x)) (terc x) = refl 


--(SEND 


{- the following lemma is false if tickincluded = false-} 


mutual 


lemmaDrefusalStableNotTermequiv : {lu : LUniv}{c : Choice}(Q : Process 00 { lu } c) 

(A : (Label lu) —> Bool) 

(dref : DRefusal Q true X) 

(stab : stable Q) 

(y : ChoiceSet c) 

(termequivQ : TerminateEquivalent y Q) 

A 

lemmaDrefusalStableNotTermequiv (terminate x) X dref stab y terrnequiv = dref tt 
lemmaDrefusalStableNotTermequiv (node Q) X (drefusal noextChlnX noTerm) 

stab y (termeqnode terequivP) = hasTauOrTickGivesBot hasTauOrTickNoT; 


where 


hasTauOrTickNoTau’ : ChoiceSet (I Q) l±l 

-1 (ChoiceSet (I Q)) x ChoiceSet (T Q) 


a 
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hasTauOrTickNoTau' = hasTauOrTickNoTau terequivP 

hasTauOrTickGivesBot : ChoiceSet (I Q) l±l -> (ChoiceSet (I Q )) x ChoiceSet (T 
hasTauOrTickGivesBot (injx x) = stabToNolnternal+ Q stab x --stab x 
hasTauOrTickGivesBot (inj2 ( noti ,, t )) = noTerm _ t 


lemmaDivNotTermequiv : {lu : LUniv}{c : Choice }(<5 : Process oo { lu } c) 

( divQ : DivergentProcess oo {lu} c Q) 

(x : ChoiceSet c) 

(termequivQ : TerminateEquivalent x Q) 

-► JL 

lemmaDivNotTermequiv .(node P ) (div P (div+ int divP )) x (termeqnode terequivP) 

= lemmaDivNotTermequiv (forcep (PI P int)) (forcediv divP) x (onlylntChoice terequivP ir, 


A. 6 bisimilarity, agda 


--@PREFIX@bisim 
module bisimilarity where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

j Q.-— — 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport auxData 

mport dataAuxFunction 

mport fdi 


-o 
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lemmaorcrossi : {ABC: Set }(ab : A l±l (B x C )) —> A l±l C 
lemmaorcrossi (inji a) = inji a 
lemmaorcrossi (inj 2 (b „ c)) = inj 2 c 

lemmaorcross 2 : {ABC: Set }(ab : A l±l (B x C )) —> A l±l B 
lemmaorcross 2 (inji «) = inji a 
lemmaorcross 2 (inj 2 (b ,, c)) = inj 2 b 


mutual 

--@BEGIN@bisimsDefinf 

record Bisimsoo {i : Size}{^ : LUniv}{c : Choice} 

(P P’ : Processoo oo { lu } c) : Set where 

coinductive 

field 

forceB : {j : Size< z}-> Bisims {}} {^}(forcep P ) (forcep P’) 


--(SEND 


--OBEGINObisimsDef 

data Bisims {i : Size}{/i/ : LUniv}{c : Choice} : 

( P P’ : Process oo {lu} c) — > Set where 
eqterminate : { a : ChoiceSet c} 

—>■ Bisims {z} (terminate a) (terminate a) 
eqnode : {Q Q’: Process- 1 - oo {lu} c} —>■ Bisims-I- {z} Q Q’ 

—> Bisims {z} (node Q) (node Q’) 


--(SEND 


--(SBEGINGbisimsDefPlus 


record Bisims-p {z : Size}{/zz : LUniv}{c : Choice} 

(P P’: Process-P oo {lu} c) : Set where 


coinductive 


a 
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field 

bisim 2 E : (e : ChoiceSet (E P )) —> ChoiceSet (E P’) 

bisimELab : (e : ChoiceSet (E P)) 

—> Lab P e = Lab P’ (bisim 2 E e) 

bisimENext : (e : ChoiceSet (E P)) 

—> Bisimsoo {*} (PE P e ) (PE P’ (bisim 2 E e)) 
bisi m 21 : ( inti : ChoiceSet (I P)) — y ChoiceSet (I P’) 

bisimlNext : ( inti : ChoiceSet (I P)) 

—* Bisimsoo {*} (PI P inti) (PI P’ ( bisi m 21 inti)) 
bisim 2 T : (t : ChoiceSet (T P)) —> ChoiceSet (T P’) 

bisim 2 TEq : (t : ChoiceSet (T P)) 

PT P t = PT P’ (bisim 2 T t) 
bisim 2 Er : (e : ChoiceSet (E P’)) —> ChoiceSet (E P) 
bisimELabr : (e : ChoiceSet (E P’)) 

— y Lab P’ e = Lab P (bisim 2 Er e) 
bisimENextr : (e : ChoiceSet (E P’)) 

—> Bisimsoo {*} (PE P (bisim 2 Er e)) (PE P’ e) 
bisi m 21 r : ( inti : ChoiceSet (I P’)) —y ChoiceSet (I P) 

bisimlNextr : ( inti : ChoiceSet (I P’)) 

— y Bisimsoo {«} (PI P (bisim 2 lr inti)) (PI P’ inti) 
bisim 2 Tr : (t : ChoiceSet (T P’)) —> ChoiceSet (T P) 
bisim 2 TEqr : (t : ChoiceSet (T P’)) 

->• PT P’t = PT P (bisim 2 Tr t) 


--(SEND 


open Bisimsoo public 
open Bisims+ public 

mutual 

swapChoiceSetss : {i : Size}{/w : LU niv}{ c : Choice}(P P’ : Process-!- oo { lu } c) 
{PP’ : Bisims+ {z} P P’) 

(p : ChoiceSet (I P) l±) -i (ChoiceSet (I P))) 

—>■ ChoiceSet (I P’) l±l (ChoiceSet (I P’)) 
swapChoiceSetss {*} {c} P P’ PP’ (inji x) = inji (bisim 2 l PP’ x) 
swapChoiceSetss {*} {c} P P’ PP’ (inj 2 y) = inj 2 (X y’ —> y ( bisim 2 lr PP’ y’)) 


swapChoiceSetssr : {i : Size}{/?x : LUniv}{c : Choice}(F P’ : Process-h oo {lu} c) 


a 
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{PP ’: Bisims+ {z} P P’) 

(p : ChoiceSet (I P’) l±) -i (ChoiceSet (I P’))) 

—> ChoiceSet (I P) l±) -> (ChoiceSet (I P)) 
swapChoiceSetssr {z} {c} P P’ PP’ (injx x) = i nj x ( bisi m 21 r PP’ x) 
swapChoiceSetssr {z} {c} P P’ PP’ (inj 2 y) = inj 2 (X y’ —>• y (bisim 2 l PP’ y’)) 


mutual 

--@BEGIN@Nondivergent 

record NonDivergentoo {z : Size}{/zz : LUniv}{c : Choice} 

(P : Processoo oo { lu } c) : Set where 

inductive 

field 

forceND : {j : Size< z}^ Non Divergent {}} (forcep P) 

NonDivergent : {z : Size}{/zz : LUniv}{c : Choice} 

(P : Process oo {lu} c ) —> Set 

NonDivergent (terminate x) = T 
NonDivergent {z} (node Q) = NonDivergent+ {z} Q 

data NonDivergent+ {z : Size}{/zz : LUniv}{c : Choice} 

(P : Process+ oo {lu} c ) : Set where 

nondiv : (( inti : ChoiceSet (I P)) — > NonDivergentoo {z} (PI P inti)) 

—>■ ( chemptyornot : ChoiceSet (I P) l±) -> (ChoiceSet (I P) )) 

—> NonDivergent+ {z} P 


--GEND 


open NonDivergentoo public 
mutual 

--@BEGIN@TerminateEquivalentinf 

TerminateEquivalentoo : {lu : LUniv}{c : Choice}(a : ChoiceSet c) 

(P : Processoo oo {lu} c) —> Set 
TerminateEquivalentoo a P = TerminateEquivalent a (forcep P) 


--(SEND 


a 


o 
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--@BEGIN(STerminateEquivalent 


data TerminateEquivalent {lu : LUniv}{c : Choice}(a : ChoiceSet c) 

: (P : Process oo {lu} c ) —>• Set where 
termeqterm : TerminateEquivalent a (terminate a) 
termeqnode : {P : Process+ oo {lu} c} 

(terequivP : TerminateEquivalent+ a P ) 
—> TerminateEquivalent a (node P) 


--(SEND 


--(SBEGINGTerminateEquivalentplus 

record TerminateEquivalent-!- {lu : LUniv}{c : Choice}(a : ChoiceSet c) 

(P : Process-!- oo {lu} c ) : Set where 

inductive 

field 

noExtChoice : (e : ChoiceSet (E P)) —» _L 

onlylntChoice : (i : ChoiceSet (I P)) 

—> TerminateEquivalentoo a (PI P i) 
termlsa : (t : ChoiceSet (T P )) —>■ a = PT P t 

hasTauOrTickNoTau : ChoiceSet (I P) l±l 

(-1 (ChoiceSet (I P)) x ChoiceSet (T P)) 


--(SEND 


open TerminateEquivalent-!- public 

hasTauOrTick : {lu : LUniv}{c : Choice} 

{a : ChoiceSet c} 

{P : Process-!- oo {lu} c} 

(termequiv : TerminateEquivalent-!- a P) 

—> ChoiceSet (I P) l±) ChoiceSet (T P) 
hasTauOrTick termequiv = lemmaorcrossi (hasTauOrTickNoTau termequiv) 

hasTauOrNotTau : {lu : LUniv}{c : Choice} 

{a : ChoiceSet c} 

{P : Process-!- oo {lu} c} 

(termequiv : TerminateEquivalent-!- a P) 

—> ChoiceSet (I P) l±J -• (ChoiceSet (I P)) 
hasTauOrNotTau termequiv = lemmaorcross 2 (hasTauOrTickNoTau termequiv ) 


o 


-o 
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mutual 

--(SBEGIN(SbisimDefinf 

record Bisimwoo {z : Size}}/?/ : LUniv}{c : Choice} 

(P P ’: Processoo oo {lu } c) : Set where 

coinductive 

field 

forceB : {j : Size< z}-> Bisimw {j}{lu} (forcep P) (forcep P’) 


--(SEND 


--(SBEGINGbisimDef 

data Bisimw }z : Size}}/?/ : LUniv}{c : Choice} 

: (P P’ : Process oo {lu} c ) —> Set where 
eqterminate {a : ChoiceSet c} ->• {P’ : Process oo {lu} c} 

(terequiv : TerminateEquivalent a P’) 

—)■ Bisimw {z} (terminate a) P’ 

eqterminater : {a : ChoiceSet c} ->■ {P : Process oo {lu} c} 

(terequiv : TerminateEquivalent a P) 

—> Bisimw {z} P (terminate a) 
eqnode : {Q Q ’: Process- 1 - oo {lu} c} 

(bisimQQ’ : Bisimw+ {z} Q Q’) 

—>■ Bisimw {z} (node Q ) (node Q’) 

--(SEND 


--(SBEGINGbisimDef Plus 

record Bisimw+ {z : Size}}/?/ : LUniv}{c : Choice} 

(P P ’: Process-)- oo {lu} c ) : Set where 

coinductive 

field 

bisimdiv DivergentProcess-E z c P —» DivergentProcess-E z c P’ 

nondiv-E NonDivergent+ {z} P — > NonDivergent+ {z} 

bisimEP’ : (e : ChoiceSet (E P)) — >• Processoo oo {/?/} c 


a 


o 
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bisimEtr 

bisimEnext 

bisimlP’ 

bisimltr 

bisimlnext 

bisimTtr 

bisimdivr 

nondiv+r 

bisimEP’r 

bisimEtrr 

bisimEnextr 

bisimIP’r 

bisimltrr 

bisimlnextr 

bisimTtrr 


--SEND 


open Bisimwcx) public 
open Bisimw+ public 


(e : ChoiceSet (E P)) 

—> P’ —)•+*[ Lab P e :: [] ] (forcep (bisimEP’ e)) 

(e : ChoiceSet (E P)) 

—>• Bisimwoo {z} (PE P e) (bisimEP’ e) 

( inti : ChoiceSet (I P)) —> Processoo oo { lu } c 
( inti : ChoiceSet (I P)) 

—> P’ —>■+*[ [] ] (forcep (bisimlP’ inti)) 

( inti : ChoiceSet (I P)) 

—» Bisimwoo {z} (PI P inti) (bisimlP’ inti) 

(t : ChoiceSet (T P)) TrP+ [] (inj 2 (PT P t)) P’ 
DivergentProcess+ i c P’ —> DivergentProcess+ i c P 
NonDivergent+ {z} P’ —)■ NonDivergent+ {z} P 
(e : ChoiceSet (E P’)) —> Processoo oo {lu} c 
(e : ChoiceSet (E P’)) 

—>■ TrP+ (Lab P’ e :: []) (inji (forcep (bisimEP’r e))) P 
(e : ChoiceSet (E P’)) 

—y Bisimwoo {z} (bisimEP’r e) (PE P’ e) 

( inti : ChoiceSet (I P’)) — > Processoo oo {lu} c 
( inti : ChoiceSet (I P’)) 

—> TrP+ [] (inji (forcep (bisimIP’r inti))) P 
( inti : ChoiceSet (I P’)) 

—> Bisimwoo {z} (bisimIP’r inti) (PI P’ inti) 

{t : ChoiceSet (T P’)) ->• TrP+ [] (inj 2 (PT P’t)) P 


A. 7 bisimilarityProofs.agda 


--@PREFIX@bisimilarityProofs 
module bisimilarityProofs where 


open import process 
open import choiceSetU 
open import labelUniv 


o 


-o 
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open import Size 

open import Relation.Binary.PropositionalEquality 

open import Data.Unit.Base 

open import Data.Empty 

open import Data.List 

open import Data.Sum 

open import TraceWithNextProcess 

open import dataAuxFunction 

open import fdi 

open import fdi Refusal 

open import bisimilarity 

open import bisimSym 

open import Data.Bool renaming (T to True) 

open import bisimForNextProcess 

open import tracelmpliesTraceP 

open import bisimlmpliesBisim 

open import fdi 

open import auxData 

open import bisimilarityProofsWithSchneiderStable 
mutual 

nondivImpliesIPornotIP : {lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 

( nondiv : NonDivergent+ P ) 

—y ChoiceSet (I P) l±) -i (ChoiceSet (I P)) 
nondivImpliesIPornotIP {c} P 

(nondiv _ chemptyornot ) = chemptyornot 


mutual 

swapChoiceSets : {lu : LUniv}{c : Choice}(P P ’: Process+ oo {lu} c ) 
(PP ’: Bisimw+ {00} P P’) 

(nondiv : NonDivergent+ P) 

—> ChoiceSet (I P’) l±l -1 (ChoiceSet (I P’)) 
swapChoiceSets {c} P P’ PP’ nond 
= nondivImpliesIPornotIP P’ (nondiv+ PP’ nond ) 


mutual 


a 
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stablelmpliesNonDivoo : {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 

(PS : stableoo P ) —>• NonDivergentoo P 
forceND (stablelmpliesNonDivoo P PS) = stablelmpliesNonDiv (forcep P) PS 

stablelmpliesNonDiv : {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 

(PS : stable P) 

—> NonDivergent P 

stablelmpliesNonDiv (terminate x) PS = tt 
stablelmpliesNonDiv (node x) PS = stablelmpliesNonDiv+ x PS 

stablelmpliesNonDiv+ : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c ) 

(PS : stable+ P) —> NonDivergent+ P 
stablelmpliesNonDiv+ P PS = nondiv 

(stablelmpliesNonDiv+aux P PS) (inj 2 (stabToNolnternal+ P PS) 

stablelmpliesNonDiv+aux : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c) 

(PS : stable+ P)(i : ChoiceSet (I P)) 

-> NonDivergentoo (PI P i) 

stablelmpliesNonDiv+aux P PS i = _L-elim (stabToNolnternal+ P PS i) 


mutual 

TerlmpliesNotDivergentaux+ : {lu : LUniv}(c : Choice)(P : Process+ oo {lu} c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent+ a P) 

—> NonDivergent+ P 
TerlmpliesNotDivergentaux+ c P a terequiv = nondiv 

(X i —> TerlmpliesNotDivergentauxoo c 
(PI P i) a (onlylntChoice terequiv i)) 

(hasTauOrNotTau terequiv) 

TerlmpliesNotDivergentaux : {lu : LUniv}(c : Choice)(P : Process oo {lu} c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent a P) 

—> NonDivergent P 

TerlmpliesNotDivergentaux c (terminate x) a terequiv = tt 
TerlmpliesNotDivergentaux c (node x) a (termeqnode terequivP) 

= TerlmpliesNotDivergentaux+ c x a terequivP 

TerlmpliesNotDivergentauxoo : {lu : LUniv}(c : Choice)(P : Processoo oo {lu} c) 


o 


-o 
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(a : ChoiceSet c) 

(terequiv : TerminateEquivalent a (forcep P)) 

—> NonDivergentoo P 

forceND (TerlmpliesNotDivergentauxoo c P a terequiv) 

= TerlmpliesNotDivergentaux c (forcep P ) a terequiv 


--@BEGIN@bisimStableImpliesNotDivergent 

mutual 

bisimStablelmpliesNotDivergentoo : {lu : LUniv}(c : Choice) 

(P P’: Processoo oo {lu} c) 

(PP’ : Bisimwoo P P’) 

(PS’ : stableoo P’) 

(nonDivP’ : NonDivergentoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentoo c P P’ PP’ PS’ nonDivP’) 

= bisimStablelmpliesNotDivergent c (forcep P) 

(forcep P’) 

(forceB PP’) 

PS’ (forceND nonDivP’) 

bisimStablelmpliesNotDivergent : {lu : LUniv}(c : Choice) 

(P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) 

(PS’ : stable P’) 

(nonDivP’: NonDivergent P’) 

—» NonDivergent P 

bisimStablelmpliesNotDivergent c (terminate x) P’ PP’ PS’ nonDivP’ = tt 

bisimStablelmpliesNotDivergent c (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 

PS’ nonDivP’ = 

TerlmpliesNotDivergentaux c (node P) 
a ((termeqnode terequivP)) 

bisimStablelmpliesNotDivergent c (node P) (node P’) (eqnode PP’) PS’ 

nonDivP 1 = bisimStablelmpliesNotDivergent+ 

c P P’ PP’ PS’ nonDivP’ 


a 
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bisimStablelmpliesNotDivergent+ : {lu : LUniv}(c : Choice) 

(P P ’: Process+ oo {lu} c ) 

(PP’ : Bisimw+ P P) 

(PS ’: stable+ P’) 

( nonDivP ’: NonDivergent+ P’) 

—>• NonDivergent+ P 

bisimStablelmpliesNotDivergent+ c P P’ PP’ PS’ nonDivP’ 

= nondiv+r PP’ nonDivP’ 


--(SEND 


--@BEGIN@nonDivBecomeStable 
mutual 

nonDivBecomeStableooi : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

( nonDivP : NonDivergentoo P) 

—» Process oo {lu} c 

nonDivBecomeStableooi c P nonDivP = nonDivBecomeStablei 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo2 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(nonDivP : NonDivergentoo P) 

—)■ TrPoo {lu} [](inj! 

(nonDivBecomeStableooi c P nonDivP )) P 

nonDivBecomeStableoo2 c P nonDivP = nonDivBecomeStable 2 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo 3 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

( nonDivP : NonDivergentoo P) 

—> stableSch (nonDivBecomeStableooi 

c P nonDivP) 

nonDivBecomeStableoo 3 c P nonDivP = nonDivBecomeStable 3 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStable+i : {lu : LUniv}(c : Choice) 

( P : Process- 1 - oo {lu} c ) 

( nonDivP : NonDivergent+ P) 

—> Process oo {lu} c 


o 


-o 
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nonDivBecomeStable+i c P (nondiv x (inji int )) = 

nonDivBecomeStableooi 
c (PI P int) (x int) 

nonDivBecomeStable+ 1 c P (nondiv x (inj 2 stab)) = node P 

nonDivBecomeStable+2 : {lu : LUniv}(c : Choice) 

( P : Process+ oo {lu} c) 

(nonDivP : NonDivergent+ P) 

-> TrP+ {lu} [] (inji 

(nonDivBecomeStable+i c P nonDivP)) P 
nonDivBecomeStable+2 c P (nondiv x (inji int)) = intc [] (inji 

(nonDivBecomeStable+i c P 
(nondiv x (inji 'Int)))) tnt 
(nonDivBecomeStableoo 2 c 

(PI P int) (x int)) 

nonDivBecomeStable+2 c P (nondiv x (inj 2 stab)) = empty 

nonDivBecomeStable+3 : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P) 

—> stableSch 

(nonDivBecomeStable+i c P nonDivP) 
nonDivBecomeStable+3 c P (nondiv x (inji Int)) = 

nonDivBecomeStableoo 3 c 

(PI P int) (x int) 

nonDivBecomeStable+3 c P (nondiv x (inj 2 stab)) = stab 


nonDivBecomeStablei : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(nonDivP : Non Divergent P) 

—> Process oo {lu} c 

nonDivBecomeStablei c (terminate x) nonDivP = terminate x 
nonDivBecomeStablei c (node x) nonDivP = 

nonDivBecomeStable+i c x nonDivP 

nonDivBecomeStable 2 : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(nonDivP : Non Divergent P) 

TrP {lu} [] (inji 

(nonDivBecomeStablei c P nonDivP)) P 


o- 


o 
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nonDivBecomeStable 2 c (terminate x) nonDivP = empty x 
nonDivBecomeStable 2 c (node x) nonDivP 

= tnode (nonDivBecomeStable + 2 c x nonDivP) 


nonDivBecomeStable 3 : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c ) 

(nonDivP : NonDivergent P) 

—» stableSch (nonDivBecomeStable! c P nonDivP) 
nonDivBecomeStable 3 c (terminate x) nonDivP = _ 
nonDivBecomeStable 3 c (node x) nonDivP = nonDivBecomeStable + 3 c 

x nonDivP 


--(SEND 


mutual 

nonDivBecomesStableBisimProofoo : {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 

(nondiv’ : NonDivergentoo P) 

{a : ChoiceSet c) 

(terequivP : TerminateEquivalentoo a P) 

—> Bisimw (nonDivBecomeStableooi c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProofoo P nondiv’ a terequivP = 
nonDivBecomesStableBisimProof (forcep P) (forceND nondiv’) a terequivP 


nonDivBecomesStableBisimProof : {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 

(nondiv’ : NonDivergent P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalent a P) 

—y Bisimw (nonDivBecomeStablei c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProof (terminate x) nondiv’ .x termeqterm 

= BismwRef (terminate x) 

nonDivBecomesStableBisimProof (node x) nondiv’ a 

(termeqnode terequivP) = 

nonDivBecomesStableBisimProof-!- x nondiv’ a terequivP 

nonDivBecomesStableBisimProof-!- : {lu : LUniv}{c : Choice} (P : Process-!- oo {lu} c) 

(nondiv’ : NonDivergent-)- P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalent-!- a P) 


o 


-o 
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—>- Bisimw (nonDivBecomeStable+i c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProof+ P (nondiv x (inji int)) a terequivP 

= nonDivBecomesStableBisimProofoo (PI P int ) (x int) a 

(onlylntChoice terequivP int ) 

nonDivBecomesStableBisimProof+ P (nondiv x (inj 2 stab)) a terequivP 

= eqterminater (termeqnode terequivP) 


mutual 

emptyTrPtoQImpliesEq : {lu : LUniv}{c : Choice}(P P’ : Process oo { lu } c) 

(PS’: stable P)(tr : TrP {lu} [] (inji P’) P) 

P= P’ 

emptyTrPtoQImpliesEq (terminate x) .(terminate x) pat (empty .x) = refl 
emptyTrPtoQImpliesEq (node x) .(node x) PS’ (tnode empty) = refl 
emptyTrPtoQImpliesEq (node Q) P’ PS’ 

(tnode (intc .[] .(inji P’) D P2)) = -L-elim (stabToNolnternal+ Q PS’ x 1) {-(PS 5 

emptyTrPtoQImpliesEq-!- : {lu : LUniv}{c : Choice}(F : Process-P 00 {lu} c)(P’: Process 00 {l 

(PS’ : stable-l- P)(tr : TrP+ {lu} [] (inji P’) P) 

—> node P = P’ 

emptyTrPtoQImpliesEq-!- P P’ PS’ tr 

= emptyTrPtoQImpliesEq (node P) P’ PS’ (tnode tr) 


--@BEGIN@bisimPPWithEmptyTr 

mutual 

bisimPPWithEmptyTroo : {lu : LUniv}{c : Choice} 

(P P’ : Processcxa 00 {lu} c) 

(PP’ : Bisimwcx) P P’) (PS’: stableoo P’) 

(nonDivP : NonDivergentcx) P) 

(tr : TrPoo {lu} [] 

(inji (nonDivBecomeStableooi c P nonDivP)) P) 

—> Bisimw (nonDivBecomeStableooi c P nonDivP) 

(forcep P’) 

bisimPPWithEmptyTroo P P’ PP’ PS’ nonDivP tr = 

bisimPPWithEmptyTr (forcep P) (forcep P’) 

(forceB PP’) PS” (forceND nonDivP) tr 


a 


-o 
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bisimPPWithEmptyTr : {lu : LUniv}{c : Choice} 

( P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) ( PS’ : stable P’) 

( nonDivP : NonDivergent P ) 

( tr : TrP {lu} [] (inji 

(nonDivBecomeStablex {lu} c P nonDivP )) P) 
—» Bisimw (nonDivBecomeStablex {lu} c P nonDivP ) P’ 
bisimPPWithEmptyTr {lu} {c} .(terminate x) (terminate x\) 

PP’ PS’ nonDivP (empty x) = PP’ 
bisimPPWithEmptyTr (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv nondivPI (injx a;)) (tnode tr) = 
nonDivBecomesStableBisimProofoo (PI P x) 
[nondivPI x) a (onlylntChoice terequivP x) 
bisimPPWithEmptyTr (node P) (terminate x) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv x\ (inj 2 y)) (tnode tr) = 
eqterminater (termeqnode terequivP) 
bisimPPWithEmptyTr (terminate P) (node P’) PP’ PS’ nonDivP tr = 

PP’ 

bisimPPWithEmptyTr (node P) (node P’) (eqnode bisimPP’) PS’ 

(nondiv x chemptyornot) (tnode tr) = 
bisimPPWithEmptyTr+ P P’ bisimPP’ 

PS’ (nondiv x chemptyornot) tr 


bisimPPWithEmptyTr+ : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c) 

(PP’: Bisimw+ P P’) (PS’: stable+ P) 
(nonDivP : NonDivergent+ P) 

(tr : TrP+ {lu} [] (injx 
(nonDivBecomeStable+x c P nonDivP)) P) 
—> Bisimw (nonDivBecomeStable+x c P nonDivP) 
(node P’) 

bisimPPWithEmptyTr+ {lu}{c} P P’ PP’ PS’ 

(nondiv nondiv’ (injx £1)) tr = PP’” 

where 

P’~ : Processoo oo {lu} c 
P’~ = bisimlP’ PP’ x\ 


a 


-o 
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trP'P'~ : P’ ^+*[ [] ] (forcep (P’~)) 
trP’P’~ = bisimltr PP’ x i 


P'=P’~ : node P’ = forcep P’~ {00} 

P'=P’~ = emptyTrPtoQlmpliesEq+ P’ 

(forcep P'~) PS”trP’P’~ 

P’~=P’ : forcep P'~ {00} = node P’ 

P’~=P’ rewrite P'=P’~ = refl 

P’~stable : stable (forcep P’~) 

P’~stable rewrite P’~=P’ = PS’ 

PP” : Bisimw (nonDivBecomeStablei c 

(forcep (PI P x 1)) (forceND (nondiv’ x 1)) ) 
(forcep P’~) 

PP” = bisimPPWithEmptyTr (forcep (PI P x 1)) 

(forcep P'~ {00}) 

(forceB (bisimlnext PP ’zi)) 

P’~stable (forceND ( nondiv ’ Xl)) 
(nonDivBecomeStable 2 c 
(forcep (PI P x 1)) (forceND (nondiv’ Xi))) 

PP’” : Bisimw (nonDivBecomeStableooi c 

(PI P x 1) (nondiv’ x\)) (node P’) 
PP’” rewrite P’ = P’~ = PP” 

bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y )) empty = eqnode PP’ 
bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y )) 

(into .[] .(i nj 1 

(node P )) x\ x?) = eqnode PP’ 


--SEND 


mutual 


a 


o 




320 


A. 7 . bisimilarityProofs.agda 
o-o 


choicesetornotBism : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process+ oo {lu } c)(PP’: E 

( cc’: ChoiceSet (I P) l±) -> (ChoiceSet (I P ))) 

—* ChoiceSet (I P’) l±l -> (ChoiceSet (I P’)) 

choicesetornotBism {c} P P’ PP’ (inji ip) = inji ( bisi m 21 PP’ ip) 
choicesetornotBism {c} P P’ PP’ (inj 2 notip) = inj 2 (X ip’ —> notip (bisim 2 lr PP’ ip’)) 


mutual 

nondivLemBisimsoo : {i : Siz e}{lu : LUniv}{c : Choice}(P P’: Processoo oo {lu} c) 

—* Bisimsoo {z} P P’ 

—)■ NonDivergentoo {z} P — y NonDivergentoo {z} P’ 
forceND (nondivLemBisimsoo P P’ PP’ nP) = nondivLemBisims (forcep P) (forcep P’) (force 

nondivLemBisims : {i : Size}{/n : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—> Bisims {*} P P’ 

—y NonDivergent {z} P —> NonDivergent {z} P’ 
nondivLemBisims .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 
nondivLemBisims .(node Q) .(node Q’) (eqnode {< 5 } {Q*} QQ’) nP = nondivLemBisims+ Q 


nondivLemBisims+ : {i : Siz e}{lu : LUniv}{c : Choice}(P P ’: Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—> NonDivergent+ {z} P —$■ NonDivergent+ {z} P’ 
nondivLemBisims+ P P’ PP’ (nondiv f p) = 
nondiv (X z —> nondivLemBisimsoo (PI P (bisim 2 lr PP’ i)) (PI P’ i) (bisimlNextr PP’ i) 
(/(bisim 2 lr PP’ i)) ) (choicesetornotBism P P’ PP’ p) 


mutual 

divLemBisimsoo : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—> Bisimsoo {z} P P’ 

—>• DivergentProcessoo z c P —> DivergentProcessoo i c P’ 
divLemBisimsoo P P’ PP’ nP .forcediv = divLemBisims (forcep P) (forcep P ’) (forceB PP’) ( 

divLemBisims : {z : Size}{fu : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

— y Bisims {z} P P’ 

—> DivergentProcess z c P —> DivergentProcess z c P’ 
divLemBisims .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 


a 
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divLemBisims .(node P ) .(node P’) (eqnode {.F} { P ’} PP’) (div P divP ) = div P’ (divLemBisims+ 1 


divLemBisims+ : {z : Size}{/zz : LUniv}{c : Choice}(F P’ : Process+ oo { lu } c) 

—» Bisims+ {z} P P’ 

—> DivergentProcess+ tcP-> DivergentProcess+ i c P’ 
divLemBisims+ P P’ PP’ (div+ int Q ) = div+ (bisim 2 l PP’ int) 

(divLemBisimsoo (PI P int) (PI P’ (bisim 2 l PP’ int)) (bisimlNext PP’ int) Q) 


mutual 

nondivLemBisimsoor : {i : Size}{fu : LUniv}{c : Choice}(F P’ : Processoo oo {lu} c) 

—* Bisimsoo {z} P P’ 

—> NonDivergentoo {z} P’ —> NonDivergentoo {z} P 
forceND (nondivLemBisimsoor P P’ PP’ nP) = nondivLemBisimsr (forcep P) (forcep P’) (forceB 

nondivLemBisimsr : {z : Size}{/zz : LUniv}{c : Choice}(F P’ : Process oo {lu} c) 

— y Bisims {z} P P’ 

Non Divergent {z} P’ —> NonDivergent {z} P 
nondivLemBisimsr .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 

nondivLemBisimsr .(node Q) .(node Q’) (eqnode {Q} {Q’} QQ’) nP = nondivLemBisims+r Q Q’ Q(\ 


nondivLemBisims+r : {z : Size}{/zz : LUniv}{c : Choice}(F P’: Process+ oo {lu} c) 

—y Bisims+ {z} P P’ 

—> NonDivergent+ {z} P’ —> NonDivergent+ {z} P 
nondivLemBisims+r P P’ PP’ (nondiv f p) = 

nondiv (X z — > nondivLemBisimsoor (PI P i) ((PI P’ (bisim 2 l PP’ i))) (bisimlNext PP’ i) 
(/(bisim 2 l PP’i))) (swapChoiceSetssr P P’ PP’ p) 


mutual 

divLemBisimsoor : {z : Size}{/zz : LUniv}{c : Choice}(F P’ : Processoo oo {lu} c) 

—> Bisimsoo {z} P P’ 

—> DivergentProcessoo z c P’ —>• DivergentProcessoo i c P 
divLemBisimsoor {z} P P’ PP’ nP .forcediv = divLemBisimsr (forcep P) (forcep P’) (forceB PP’) (for 

divLemBisimsr : {z : Size}{/zz : LUniv}{c : Choice}(F P’ : Process oo {lu} c) 

—>■ Bisims {z} P P’ 
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—> DivergentProcess i c P’ —> DivergentProcess i c P 

divLemBisimsr .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 

divLemBisimsr .(node P’) .(node P ) (eqnode {P’} {.P} PP’) (div P divP) = div P’ (divLemE 


divLemBisims+r : {i : Size}{£u : LUniv}{c : Choice}(P P’ : Process+ oo { lu } c) 

—» Bisims+ {z} P P’ 

—> DivergentProcess+ i c P’ —>• DivergentProcess+ i c P 
divLemBisims+r P P’ PP’ (div+ int Q ) = div+ ((bisim2lr PP’ int )) 

((divLemBisimsoor (PI P ((bisim2lr PP’ int))) (PI P’ int) 


mutual 

stabLemBisimsoo : { i : Size}{£u : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—> Bisimsoo P P’ 

—> stableoo P’ —> stableoo P 

stabLemBisimsoo P P’ PP’ PS’ = stabLemBisims (forcep P) (forcep P’) (forceB PP’) PS’ 

stabLemBisims : {i : Size}{/w : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—>• Bisims P P’ 

—> stable P’ —> stable P 

stabLemBisims .(terminate a) .(terminate a) (eqterminate {a}) PS’ = PS’ 

stabLemBisims .(node P) .(node P’) (eqnode {P} {P’} PP’) PS’ = stabLemBisims+ P P’ P 


stabLemBisims+ : {i : Size}{/« : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—y stable+ P’ —> stable+ P 

stabLemBisims+ P P’ PP’ (Pnol ,, PNoTick) = (X int —> Pnol (bisim2l PP’ int)) „ (X t —> 


mutual 

divergentlmpliesl\lotTermEquiv+ : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

(a : ChoiceSet c) 

(terP : TerminateEquivalent+ a P) 

(divP : DivergentProcess+ oo {lu} c P) 

->• JL 


a 
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divergentlmpliesNotTermEquiv+ c P a terequivP (div+ int divP ) = 

divergentlmpliesNotTermEquivoo c (PI P int) a (onlylntChoice terequivP int) div. 

divergentlmpliesNotTermEquivoo : { lu : LUniv}(c : Choice) 

( P : Processoo oo {lu} c ) 

(a : ChoiceSet c) 

(terP : TerminateEquivalentoo a P ) 

(divP : DivergentProcessoo oo {lu} c P) 

->• A 

divergentlmpliesNotTermEquivoo c P a terP divP = divergentlmpliesNotTermEquiv c (forcep P) a ter 


divergentlmpliesNotTermEquiv : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(a : ChoiceSet c) 

(terP : TerminateEquivalent a P) 

(divP : DivergentProcess oo {lu} c P) 

-A A 

divergentlmpliesNotTermEquiv c .(node P ) a (termeqnode terequivP) (div P dzuP) = 

divergentlmpliesNotTermEquiv+ c P a terequi 


mutual 

bisimlmpliesDivergentPreservoo : {lu : LUniv}(c : Choice) (P P’ : Processoo oo {lu} c) 
(PP’ : Bisimwoo {00} P P’) 

(divP : DivergentProcessoo 00 {lu} c P ) 

—» DivergentProcessoo 00 {lu} c P’ 
forcediv (bisimlmpliesDivergentPreservoo c P P’ PP’ divP ) = 

bisimlmpliesDivergentPreserv c (forcep P) (forcep P’) (forceB PP’) 

(forcediv divP) 


bisimlmpliesDivergentPreserv+ : {lu : LUniv}(c : Choice) (P P’ : Process+ 00 {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

(divP : DivergentProcess+ 00 {lu} c P) 

—> DivergentProcess+ 00 {lu} c P’ 
bisimlmpliesDivergentPreserv+ c P P’ PP’ divP = bisimdiv PP’ divP 

--@BEGIN@bisimImpliesDivergentPreserv 


a 
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bisimlmpliesDivergentPreserv : { lu : LUniv}(c : Choice) 

( P P’: Process oo {lu} c) 

(PP’ : Bisimw {00} P P’) 

( divP : DivergentProcess 00 {lu} c P ) 
—> DivergentProcess 00 {lu} c P’ 
bisimlmpliesDivergentPreserv c .(terminate _) P’ (eqterminate x) () 
bisimlmpliesDivergentPreserv c .(node P) .(terminate a) (eqterminater {a} 
{.(node P)} (termeqnode terequivP )) (div P divP) 

= _L-elim (divergentlmpliesNotTermEquiv+ c P a terequivP divP) 
bisimlmpliesDivergentPreserv c .(node P) .(node P’) (eqnode {.P} {P’} PP’) 
(div P divP ) 

= div P’ (bisimlmpliesDivergentPreserv+ c P P’ PP’ divP ) 


--@END 


mutual 

bisimStablelmpliesNotDivergentoo’ : {lu : LUniv}(c : Choice) (P P ’: Processoo 00 {lu} c ) 

(PP’: Bisimwoo P P’) 

(PS’: stableoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentoo’ c P P’ PP’ PS’) = 

bisimStablelmpliesNotDivergent’ c (forcep P) 

(forcep P’) (forceB PP’) PS’ 


bisimStablelmpliesNotDivergent’ : {lu : LUniv}(c : Choice) (P P’ : Process 00 {lu} c) 

(PP’ : Bisimw P P’) 

(PS’: stable P’) 

—*■ NonDivergent P 

bisimStablelmpliesNotDivergent’ c (terminate x) P’ PP’ PS’ = tt 
bisimStablelmpliesNotDivergent’ c (node P) .(terminate a) 

(eqterminater {a} terequiv) PS’ — 
TerlmpliesNotDivergentaux c (node P) a terequiv 
bisimStablelmpliesNotDivergent’ c (node P) .(node P’) 

(eqnode {.P} {P’} PP’) PS’ = 
bisimStablelmpliesNotDivergent+’ c P P’ PP’ PS’ 

bisimStablelmpliesNotDivergent+’ : {lu : LUniv}(c : Choice) (P P’ : Process+ 00 {lu} c) 
(PP’: Bisimw+ P P’) (PS’ : stable+ P’) 


o 
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—>■ NonDivergentA P 

bisimStablelmpliesNotDivergent+' c P P’ PP’ PS’ = 

nondiv+r PP’ (nondiv (X i — > _L-elim (stabToNoInternalA P’ PS’ i )) (inj 2 (s 


lemBisimDRefusalAux : {lu : LUniv}(c : Choice) 

(x : ChoiceSet c) 

(P : ProcessA oo {lu} c) 

(hasTauorTickNoTau : ChoiceSet (I P) l±) (-> (ChoiceSet (I P)) x Choic 
(PS : ChoiceSet (I P) —* A) 

—» ChoiceSet (T P) 

lemBisimDRefusalAux c x P (injx x\) PS = A-elim (PS X \) 
lemBisimDRefusalAux c x P (inj 2 (_ ,, xi)) PS = x\ 


mutual 

bisimDRefusal+ : {lu : LUniv}{c : Choice} (P : ProcessA oo {lu} c) (P’ : ProcessA oo {lu} c) 

(PS : stable A P) 

(PP’ : BisimwA {00} P P’) 

(X : Label lu -A Bool) 

(isRoscoe : Bool) 

(ref: DRefusalA P isRoscoe X) 

—> DRefusalA P’ isRoscoe X 

bisimDRefusalA {c} P P’ PS PP’ X isRoscoe (drefusal noextChlnX no Term ) = 
drefusal (bisimDRefusalANoExtChlnX P P’ PS PP’ X noextChlnX) 

(bisimDRefusalNoTicksIflsRoscoe P P’ PS PP’ isRoscoe no Term) 


bisimDRefusalNoTicksIflsRoscoe : {lu : LUniv}{c : Choice} (P : ProcessA 00 {lu} c ) 

(P’: ProcessA 00 {lu} c ) 

(PS : stableA P ) 

(PP’ : BisimwA {00} P P’) 

(isRoscoe : Bool) 

(ref: NoTicksIflsRoscoe P isRoscoe) 

—> NoTicksIflsRoscoe P’ isRoscoe 

bisimDRefusalNoTicksIflsRoscoe {lu} {c} P P’ PS PP’ isRoscoe ref ticklslncl x = 

ref ticklslncl (lem c P (PT P’ x) path PS) 

where 

path : TrPA {lu} [] (inj 2 (PT P’ x)) P 


a 
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path = bisimTtrr PP’ x 


lem : {lu : LUniv}(c : Choice)(P : Process+ oo { lu } c)(x : ChoiceSet c) 

(tr : TrP+ {lu} [] (inj 2 x) P ) 

(PS : stable+ P ) —>■ ChoiceSet (T P ) 
lem c P x (intc .[] . ( in j 2 x) x’ X2) PS = _L-elim (stabToNolnternal+ P PS x’) 
lem c P .(PT P x'i) (terc x\) PS = X\ 


bisimDRefusal+NoExtChlnX : {lu : LUniv}{c : Choice} ( P : Process+ 00 {lu} c ) 

(P’ : Process+ 00 {lu} c ) 

(PS 1 : stable+ P) 

(PP’ : Bisimw+ {00} P P’) 

(X : Label lu — > Bool) 

(ref: NoExtChlnX P X) 

NoExtChlnX P’ X 

bisimDRefusal+NoExtChlnX P P’ PS PP’ X ref e x = Iem2 c P Q (Lab P’ e) tr 

where 

Q : Process 00 {lu} c 
Q = forcep (PP’ .bisimEP’r e) 

tr : TrP+ {lu} (Lab P’ e :: []) (inj x Q) P 
tr = PP’ .bisimEtrr e 

Iem2 : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c)(Q : Process 00 {lu} c) 

(l : Label lu)(tr : TrP+ {lu} (l :: []) (inji Q ) P ) 

(PS : stable+ P)(X : Label lu —> Bool )(ref : NoExtChlnX P X)(labX : True (X T) 
Iem2 c P Q .(Lab P x) (extc .[] . (i nj x Q ) x xf) PS X ref labX = ref x labX 
Iem2 c P Q l (intc .(l :: []) .( inj 1 Q) x x\) PS X ref labX = stabToNolnternal+ P PS x 


bisimDRefusal : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) (P’: Process 00 {lu} c ) 

(PS : stable P ) 

(PP’ : Bisimw {00} P P’) 

(X : Label lu —> Bool) 

(isRoscoe : Bool) 

(ref: D Refusa I P isRoscoe X) 

—y D Refusa I P’ isRoscoe X 

bisimDRefusal (terminate x) (terminate x\) PS PP’ X isRoscoe ref ticklncl = ref ticklncl 


o 
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bisimDRefusal (terminate x) (node Q) PS (eqterminate (termeqnode terequivP )) X isRoscoe 

drefusal (X e — y _L-elim (noExtChoice terequivP e))(X t — y _ 1 _— e 1 1 m ( 
bisimDRefusal {lu}{c} (node P) (terminate x) PS 

(eqterminater (termeqnode terequivP)) X isRoscoe (drefusal noextChlnX noTerm) ticklnc 

= noTerm ticklnc (lemBisimDRefusalAux c x P (hasTauOrTickNoTau terequivP) (stabToNc 
bisimDRefusal (node P) (node P’) PS (eqnode bisimQQ’) X isRoscoe ref = 

bisimDRefusal+ P P’ PS bisimQQ’ J 


mutual 

lemmaxxxi : {lu : LUniv}{c : Choice} —y (result : Process oo { lu } c l±) ChoiceSet c) 

—y(Q: Process oo {lu} c) 

—y (divQ : DivergentProcess oo {lu} c Q) 

—y BisimForNextP result (inji Q) 

—y Process oo {lu} c 

lemmaxxxi (inji Q’) Q divQ BisimResultQ = Q’ 

lemmaxxxi (inj 2 y) Q divQ BisimResultQ = _L-elim (lemmaDivNotTermequiv Q divQ y BisimResm 


lemmaxxx 2 : {lu : LUniv}{c : Choice} — y (result : Process oo {lu} c l±) ChoiceSet c) 

— y ( l : List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c) 

—y (divQ : DivergentProcess oo {lu} c Q) 

—y (bisimForNext : BisimForNextP result (inji Q)) 

— y (trp : TrP {lu} l result P) 

—y TrP {lu} l (inji (lemmaxxxi result Q divQ bisimForNext)) P 
lemmaxxx 2 (inji x) l P Q divQ bisimForNext trp = trp 

lemmaxxx 2 (inj 2 y) l P Q divQ bisimForNext trp = _L-elim (lemmaDivNotTermequiv Q divQ y bisii 


lemmaxxx 2 + : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±J ChoiceSet c) 

— y ( l : List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

— y (divQ : DivergentProcess oo {lu} c Q) 

—y (bisimForNext : BisimForNextP result (inji Q)) 

—y ( trp+ : TrP+ {lu} l result P) 

—y TrP+ {lu} l (inji (lemmaxxxi result Q divQ bisimForNext)) P 
lemmaxxx 2 + (inji x) l P Q divQ bisimForNext trp+ = trp-h 

lemmaxxx 2 + (inj 2 y) l P Q divQ bisimForNext trp+ = _L-elim (lemmaDivNotTermequiv Q divQ y i 

lemmaxxx 3 : {lu : LUniv}{c : Choice} — y ( result : Process oo {lu} c l±l ChoiceSet c) 

— y ( l : List (Label lu))(Q : Process oo {lu} c) 

—y ( divQ : DivergentProcess oo {lu} c Q) 
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—> (bisimForNext : BisimForNextP result (inji Q )) 

—> Bisimw (lemmaxxx! result Q divQ bisimForNext) Q 
lemmaxxx 3 (inji Q’) l Q divQ bisimForNext = bisimForNext 

lemmaxxx 3 (inj 2 y) l Q divQ bisimForNext = _L-elim (lemmaDivNotTermequiv Q divQ y bi 


mutual 

lemmayyyi : {lu : LUniv}{c : Choice} — >■ (result : Process oo { lu } c l±) ChoiceSet c 

—>■ (Q : Process oo {lu} c) 

—>■ (stab : stable Q) 

—* ( X : Label lu —> Bool) 

—» DRefusal {lu}{c} Q true X 

—» BisimForNextP result (inji Q) 

—> Process oo {lu} c 

lemmayyyi (inji Q’) Q stab X x x\ = Q’ 

lemmayyyi (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 

lemmayyyi+ : {lu : LUniv}{c : Choice} — >■ ( result : Process oo {lu} c l±l ChoiceSe' 

(Q : Process oo {lu} c) 

—> (stab : stable Q) 

—> ( X : Label lu —> Bool) 

—>• DRefusal {lu}{c} Q true X 

—> BisimForNextP result (inji Q) 

—> Process oo {lu} c 

lemmayyyi+ (inji Q’) Q stab X x X\ = Q’ 

lemmayyyi+ (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 

lemmayyy 2 : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±) ChoiceSet c 

—> ( l : List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c) 

—>■ (stab : stable Q) 

—y ( X : Label lu —> Bool) 

—^ (dref\ DRefusal {lu}{c} Q true X) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP {lu} l result P 

—> TrP {lu} l (inji (lemmayyyi result Q stab X dref bisim)) P 

lemmayyy 2 (inji Q’) l P Q stab X dref bisim tr = tr 


o 
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lemmayyy 2 (inj2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 2 + : {lu : LUniv}{c : Choice} —>- ( result : Process oo { lu } c l±J ChoiceSet c) 

—>• ( l : List (Label lu)){P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—>- ( stab+ : stable Q ) 

—>• (A : Label lu —> Bool) 

—> {dref\ DRefusal {lu}{c} Q true X) 

—>• (bisim : BisimForNextP result (inji Q )) 

—» TrP+ {lu} l result P 

—> TrP+ {lu} l (injx (lemmayyyx result Q stab+ X dref bisim)) P 
lemmayyy 2 + (injx Q ') l P Q stab X dref bisim tr = tr 

lemmayyy 2 + (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 3 : {lu : LUniv}{c : Choice} —> {result : Process oo {lu} c l±) ChoiceSet c) 

— > {Q : Process oo {lu} c) 

—> {stab : stable Q) 

—>■ {X : Label lu —>• Bool) 

—y {dref: DRefusal {lu}{c} Q true X) 

—>• {bisim : BisimForNextP result (injx Q)) 

—)■ Bisimw (lemmayyyx result Q stab X dref bisim) Q 
Iemmayyy3 (injx Q’) Q stab X dref bisim = bisim 

Iemmayyy3 (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemEqList : {A : Set}(/ : List A) l ++ [] = l 
lemEqList [] = ref I 

lemEqList {x :: 1 ) = cong (X V —> x :: V) (lemEqList l) 

stableNotTerminateEquivaux : {lu : LUniv}{c : Choice} {P : Process+ oo {lu} c) 

{x : ChoiceSet c) 

{hasTauOrTickNoTau : ChoiceSet (I P) l±) 
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(-1 (ChoiceSet (I P )) x ChoiceSet (T P))) 

( stab : stable+ P) 

( notick : noTicklfRoscoe+ true P) 

->■ _L 

stabieNotTerminateEquivaux P x (inji int) ( stabsch ,, X2) notick = stabsch int 
stableNotTerminateEquivaux Pa;(inj2 (noint „ tick)) stab notick = notick tick 

stableNotTerminateEquiv : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c) 

(x : ChoiceSet c) 

( terequiv : TerminateEquivalent x P) 

( stab : stable P) 

-► JL 

stableNotTerminateEquiv (terminate x) x\ terequiv stab = stab _ 
stableNotTerminateEquiv (node P) x (termeqnode terequivP) ( stabSch „ notick) 

= stableNotTerminateEquivaux P x (hasTauOrTickNoTau terequivP) (stabSch „ notick) no 

noIntNoTerlmpliesNoTermTrace : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c) 

(x : ChoiceSet c) 

(tr : TrP+ [] (inj 2 x) P) 

( noint : -1 (ChoiceSet (I P))) 

[noTer : -1 (ChoiceSet (T P))) 

-► JL 

noIntNoTerlmpliesNoTermTrace P x (intc .[] .( inj 2 x) int x 2 ) noint noTer = noint int 
noIntNoTerlmpliesNoTermTrace P .(PT P ter’) (terc ter’) noint noTer = noTer ter’ 

mutual 

bisimwStableToNoTick : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c) 

(P’ : Process 00 {lu} c) 

{PP’ : Bisimw {00} P P’) 

( stabP’ : stable P’) 

(, stabP : stableSch P) 

—> noTicklfRoscoe true P 

bisimwStableToNoTick (terminate x) P’ (eqterminate terequiv) stabP’ stabP = 

stableNotTerminateEquiv P’ 

bisimwStableToNoTick (terminate x) .(terminate _) (eqterminater terequiv) stabP’ stabP = s 
bisimwStableToNoTick (node P) (terminate x) PP’ stabP’ stabP t = stabP’ _ 
bisimwStableToNoTick (node P) (node P’) (eqnode PP’) (noint,, noterP’) noterP ter’ 

= noIntNoTerlmpliesNoTermTrace P’ (PT P ter’) (bisimTtr PP’ ter’) noint noterP’ 


o 
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mutual 

--@BEGIN@bisimRefusalros 

bisimRefusalros : {lu : LUniv}{c : Choice} ( P : Process oo { lu } c) 

( P ’: Process oo {lu} c) 

(PP’: Bisimw {00} P P’) ( l : List (Label lu)) 

(A : Label lu —> Bool) 

( fail : failure P’ l true X) 

—>• failure P l true X 
bisimRefusalros { lu}{c} P P’ PP’ l X 
(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos2StablePar Qhat true stabSchQhat 
stabNoTick ) 
drefusehat)) 

where 

Qcom : Process 00 {lu} c l±J ChoiceSet c 

Qcom = bisimTraceTrPx P P’ PP’ l (i nj x Q’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPi P P’ PP’ l 

(inji Q’) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) tr’ 

QQ'com : BisimForNextP (bisimTraceTrPx P P’ PP’ l 
(inji Q’) tr’) (inji Q’) 

QQ’com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) tr’ 

Q : Process 00 {lu} c 

Q = lemmayyyi Qcom Q’ stab’ X drefuse’ QQ’com 
tr : TrP {lu} l (inji Q) P 

tr = lemmayyy 2 Qcom l P Q’ stab’ X drefuse’ QQ'com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process 00 {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


a 


o 
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trhat : TrP { lu } [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ’ = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ' stab ’ stabSchQhat 

trhat! : TrP {lu} (l ++ []) (inj x Qhat) P 

trhati = trPAppendTrw c P Q l [] (inj x Qhat) tr trhat 

eql: [l H—P [] ) = l 

eql = lemEqList l 


trhat 2 : TrP {lu} l (inj x Qhat) P 

trhat 2 = subst (X l’ —> TrP {lu} l’ (inj x Qhat) P) eql trhat x 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A true drefuse’ 


bisimRefusalros {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp)) 


where 


Qcom : Process oo {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPi P P’ PP’ l (inj x Q’) trp’ 


o 


trcom : TrP {lu} l (bisimTraceTrP x P P’ PP’ l (inj x Q’) trp’) P 
trcom = bisimTraceTrP 2 P P’ PP’ l (inj x Q’) trp’ 


-o 
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QQ'com : BisimForNextP 

(bisimTraceTrPx P P’ PP’ l (injx Q’) trp’) (inji Q’) 
QQ'com = bisimTraceTrP 3 P P’ PP’l (injx Q’) trp’ 

Q : Process oo { lu } c 
Q = lemmaxxxi Qcom Q’ divq’ QQ’com 

tr : TrP {lu} l (injx Q) P 

tr = lemmaxxx 2 Qcom l P Q’ divq’ QQ’com trcom 

QQ' : Bisimw Q Q’ 

QQ' = lemmaxxx 3 Qcom l Q’ divq’ QQ'com 

Q'Q : Bisimw Q’ Q 

Q’Q = BismwSym Q Q’ QQ’ 

divp : DivergentProcess oo {lu} c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q’Q divq’ 


--(SEND 


--@BEGIN@bisimRefusalrosplus 

mutual 

bisimRefusalros+ : {lu : LUniv}{c : Choice} (P : Process-P oo {lu} c) 

( P ’: Process-)- oo {lu} c) 

[PP’ : Bisimw+ {00} P P’) 

( l : List (Label lu)) 

(X : Label lu — > Bool) 

(fail : failure- 1 - P’ l true X) 

—> failure- 1 - P l true X 
bisimRefusalros+ {lu}{c} P P’ PP’ l X 

(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos 2 StablePar Qhat true stabSchQhat 

stabNoTick) 

drefusehat)) 

where 

Qcom : Process 00 {lu} c l±) ChoiceSet c 

o -o 
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Qcom = bisimTraceTrPi+ P P’ PP’ l (inji Q’) tr’ 

trcom : TrP+ l (bisimTraceTrPx + P P’ PP’ l (inji Q’) tr’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (injx Q’) tr’ 

QQ’com : BisimForNextP 

(bisimTraceTrPx+ P P’ PP’ l (injx Q’) tr*) (inji Q’) 

QQ’com = bisimTraceTrP 3 + P P’ PP’ l (injx Q ’) tr’ 

Q : Process oo { lu } c 

Q = lemmayyyi Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP+ {lu} l (injx Q) P 

tr = lemmayyy 2 + Qcom l P Q’ stab’ X drefuse’ QQ'com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ’com 

Qhat : Process oo {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 

(stablelmpliesNonDiv Q’ stab’)) 


trhat : TrP {lu} [] (injx Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ’ = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ' stab ’ stabSchQhat 


a 


-o 
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trhati : TrP+ { lu } ( l ++ []) (inji Qhat) P 

trhatx = trPAppendTrw+ c P Q l [] (injx Qhat) tr trhat 

eql: (/ H —P [] ) = l 

eql = lemEqList l 

trhat 2 : TrP+ {lu} l (injx Qhat) P 

trhat 2 = subst (X 1’ —> TrP+ {lu} l’ (injx Qhat) P ) eql trhatx 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’Qhat stab’ 

(BismwSym Qhat Q’ QhatQ') A true drefuse’ 


bisimRefusalros+ P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp) ) 


where 

Qcom : Process oo {lu} c l±J ChoiceSet c 

Qcom = bisimTraceTrPi+ {lu} P P’ PP’ l (inji Q’) trp’ 


trcom : TrP+ {lu} l (bisimTraceTrPi+ P P’ PP ’ l (injx Q’) trp’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (injx Q’) Pp’ 


QQ'com : BisimForNextP 

(bisimTraceTrPx+ P P’ PP’l (injx Q ’) trp’) (injx Q’) 
QQ’com = bisimTraceTrP 3 + P P’ PP’ l (injx Q’) trp’ 

Q : Process oo {lu} c 
Q = lemmaxxxi Qcom Q’ divq’ QQ’com 


tr : TrP+ {lu} l (injx Q) P 

tr = lemmaxxx 2 + Qcom l P Q’ divq’ QQ'com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmaxxx 3 Qcom l Q’ divq’ QQ’com 


a 


Q’Q : Bisimw Q’ Q 

Q’Q = BismwSym Q Q’ QQ’ 


o 
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divp : DivergentProcess oo { lu} c Q 

divp = bisimlmpliesDivergentPreserv c Q’ Q Q'Q divq’ 


--(SEND 


--(SBEGIN(SbisimImFdiTwo 

bisimlmFDI 2 : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c) 

( P ’: Process oo {lu} c) 

(PP’ : Bisimw {00} P P’) 

—> P Cfdi 2 ros P’ 

bisimlmFDI 2 {lu}{c} P P’ PP’ = bisimRefusalros P P’ PP’ 

bisimlmFDI 2 r : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) 

( P ’: Process 00 {lu} c ) 

(PP’: Bisimw {00} P P’) 

—» P’ Cfdi 2 ros P 

bisimlmFDI 2 r { lu}{c } P P’ PP’ = bisimlmFDI 2 P’ P (BismwSym P P’ PP’) 


--(SEND 


bisimlmFDI 2 + : {lu : LUniv}{c : Choice} (P : Process-F 00 {lu} c ) 

(P’ \ Process- 1 - 00 {lu} c ) 

(PP’ : Bisimw-F {00} P P’) 

—y P Cfdi 2 ros+ P’ 

bisimlmFDI 2 + {lu}{c} P P’ PP’ = bisimRefusalros-F P P’ PP’ 

bisimlmFDI 2 r-F : {lu : LUniv}{c : Choice} (P : Process-F 00 {lu} c ) 

(P’: Process-F 00 {lu} c) 

( PP ’: Bisimw-F {00} P P’) 

—y P’ Cfdi 2 ros+ P 

bisimlmFDI 2 r+ {lu}{c} P P’ PP’ = bisimlmFDI 2 + P’ P (BismwSym-F P P’ PP’) 


A. 8 bisimilarityProofsWithSchneiderStable2.agda 


--@PREFIX@bisimilarityProofs 

module bisimilarityProofsWithSchneiderStable 2 where 


o- 


o 




337 


A. Agda Code 

o-o 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetl) 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport fdi 

mport fdi Refusal 

mport bisimilarity 

mport bisimSym 

mport Data.Bool renaming (T to True) 

mport bisimForNextProcess 

mport tracelmpliesTraceP 

mport bisimlmpliesBisim 

mport fdi 

mport auxData 


mutual 

nondivImpliesIPornotIP : {lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 

(nondiv : NonDivergent+ P ) 

—> ChoiceSet (I P) l±J -i (ChoiceSet (I P )) 
nondivImpliesIPornotIP {c} P 

(nondiv _ chemptyornot) = chemptyornot 


mutual 

swapChoiceSets : {lu : LUniv}{c : Choice}(F P’ : Process+ oo {lu} c ) 
( PP’ : Bisimw+ {00} P P’) 

(nondiv : NonDivergent+ P ) 

—> ChoiceSet (I P’) l±l -1 (ChoiceSet (I P’)) 
swapChoiceSets {c} P P’ PP’ nond 
= nondivImpliesIPornotIP P’ (nondiv+ PP’ nond ) 


a 
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mutual 

stablelmpliesNonDivoo : {lu : LUniv}{c : Choice}(P : Processoo oo { lu } c) 

(PS : stableoo P) — > NonDivergentoo P 
forceND (stablelmpliesNonDivoo P PS) = stablelmpliesNonDiv (forcep P) PS 

stablelmpliesNonDiv : {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 

(PS : stable P) 

—> NonDivergent P 

stablelmpliesNonDiv (terminate x) PS = tt 
stablelmpliesNonDiv (node x) PS = stablelmpliesNonDiv+ x PS 

stablelmpliesNonDiv+ : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c) 

(PS : stable+ P) —> NonDivergent+ P 
stablelmpliesNonDiv+ P PS = nondiv 

(stablelmpliesNonDiv+aux P PS) (inj 2 (stabToNolnternal+ P PS) 

stablelmpliesNonDiv+aux : {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c) 

(PS : stable+ P)(i : ChoiceSet (I P)) 

—> NonDivergentoo (PI P i) 

stablelmpliesNonDiv+aux P PS i = _L-elim (stabToNolnternal+ P PS i) 


mutual 

TerlmpliesNotDivergentaux+ : {lu : LUniv}(c : Choice)(P : Process+ oo {lu} c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent+ a P) 

—*■ NonDivergent+ P 

TerlmpliesNotDivergentaux+ c P a terequiv = nondiv 

(X i —> TerlmpliesNotDivergentauxoo c 
(PI P i) a (onlylntChoice terequiv i)) 

(hasTauOrNotTau terequiv) 

TerlmpliesNotDivergentaux : {lu : LUniv}(c : Choice)(P : Process oo {lu} c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent a P) 

—>• NonDivergent P 

TerlmpliesNotDivergentaux c (terminate x) a terequiv = tt 


o 


-o 
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TerlmpliesNotDivergentaux c (node x ) a (termeqnode terequivP) 

= TerlmpliesNotDivergentaux+ c x a terequivP 

TerlmpliesNotDivergentauxcx) : {lu : LUniv}(c : Choice)(P : Processoo oo { lu } c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent a (forcep P )) 

—>■ NonDivergentoo P 

forceND (TerlmpliesNotDivergentauxoo c P a terequiv ) 

= TerlmpliesNotDivergentaux c (forcep P) a terequiv 


--@BEGIN@bisimStableImpliesNotDivergent 

mutual 

bisimStablelmpliesNotDivergentoo : {lu : LUniv}(c : Choice) 

(P P’ : Processoo oo {lu} c) 

(PP’ : Bisimwoo P P’) 

(PS’: stableoo P’) 

(nonDivP’ : NonDivergentoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentoo c P P’ PP’ PS’ nonDivP’) 

= bisimStablelmpliesNotDivergent c (forcep P) 

(forcep P’) 

( forceB PP’) 

PS’ (forceND nonDivP’) 

bisimStablelmpliesNotDivergent : {lu : LUniv}(c : Choice) 

(P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) 

(PS’: stable P’) 

(nonDivP’ : NonDivergent P’) 

—)■ NonDivergent P 

bisimStablelmpliesNotDivergent c (terminate x) P’ PP’ PS’ nonDivP’ = tt 
bisimStablelmpliesNotDivergent c (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 
PS’ nonDivP’ = 

TerlmpliesNotDivergentaux c (node P) 
a ((termeqnode terequivP)) 


a 


bisimStablelmpliesNotDivergent c (node P) (node P’) (eqnode PP’) PS’ 






340 


A. 8 . bisimilarityProofsWithSchneiderStable 2 .agda 

o-o 

nonDivP 1 = bisimStablelmpliesNotDivergent+ 

cP P’ PP’ PS’ nonDivP’ 


bisimStablelmpliesNotDivergent+ : {lu : LUniv}(c : Choice) 

(P P ’: Process+ oo {lu} c ) 

(PP’ : Bisimw+ P P ’) 

(PS’ : stable+ P ’) 

( nonDivP ’: NonDivergent+ P’) 
NonDivergent+ P 

bisimStablelmpliesNotDivergent+ c P P’ PP’ PS’ nonDivP’ 

= nondiv+r PP’ nonDivP’ 


--(SEND 


--@BEGIN@nonDivBecomeStable 
mutual 

nonDivBecomeStableooi : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(nonDivP : NonDivergentoo P) 

—> Process oo {lu} c 

nonDivBecomeStableooi c P nonDivP = nonDivBecomeStable! 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo2 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(nonDivP : NonDivergentoo P ) 

—> TrPoo {lu} [] ( inj! 

(nonDivBecomeStableooi c P nonDivP )) P 
nonDivBecomeStableoo2 c P nonDivP = nonDivBecomeStable 2 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo 3 Sch : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(nonDivP : NonDivergentoo P ) 

—» stableSch (nonDivBecomeStableooi 

c P nonDivP) 

nonDivBecomeStableoo 3 Sch c P nonDivP = nonDivBecomeStable 3 Sch 

c (forcep P) (forceND nonDivP ) 


o 


-o 
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nonDivBecomeStable+i : {lu : LUniv}(c : Choice) 

( P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P ) 

—» Process oo {lu} c 
nonDivBecomeStable+i c P (nondiv x (inji int )) = 

nonDivBecomeStableoo! 
c (PI P int) ( x int) 

nonDivBecomeStable + 1 c P (nondiv x (inj 2 stab)) = node P 

nonDivBecomeStable+2 : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P) 

-> TrP+ {lu} [] (inji 

(nonDivBecomeStable+i c P nonDivP)) P 
nonDivBecomeStable+2 c P (nondiv x (inji int)) = intc [] (inji 

(nonDivBecomeStable+i c P 
(nondiv x (inji 'Int)))) Int 

(nonDivBecomeStableoo 2 c 

(PI P int) (x int)) 

nonDivBecomeStable+2 c P (nondiv x (inj 2 stab)) = empty 

nonDivBecomeStable+ 3 Sch : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P) 

—> stableSch 

(nonDivBecomeStable+i c P nonDivP) 
nonDivBecomeStable+ 3 Sch c P (nondiv x (inji int)) = 

nonDivBecomeStableoo 3 Sch c 

(PI P int) (x int) 

nonDivBecomeStable+ 3 Sch c P (nondiv x (inj 2 stab)) = stab 


nonDivBecomeStablei : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(nonDivP : NonDivergent P) 

—>• Process oo {lu} c 

nonDivBecomeStablei c (terminate x) nonDivP = terminate x 
nonDivBecomeStablei c (node x) nonDivP = 

nonDivBecomeStable+i c x nonDivP 

nonDivBecomeStable 2 : {lu : LUniv}(c : Choice) 


a 


-o 
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( P : Process oo {lu} c) 

(nonDivP : Non Divergent P) 

-t TrP {lu} [] ( inj! 

(nonDivBecomeStablex c P nonDivP)) P 
nonDivBecomeStable 2 c (terminate x) nonDivP = empty x 
nonDivBecomeStable 2 c (node x) nonDivP 

= tnode (nonDivBecomeStable + 2 c x nonDivP) 

nonDivBecomeStable 3 Sch : {/it : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

( nonDivP : NonDivergent P) 

—>■ stableSch (nonDivBecomeStablex c P nonDivP ) 
nonDivBecomeStable 3 Sch c (terminate a;) nonDivP = _ 
nonDivBecomeStable 3 Sch c (node x) nonDivP = nonDivBecomeStable+ 3 Sch c 

x nonDivP 


--@END 


mutual 

nonDivBecomesStableBisimProofoo : {/it : LUniv}{c : Choice}(P : Processoo oo {/it} c) 

( nondiv’ : NonDivergentoo P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalentoo a P) 

—> Bisimw (nonDivBecomeStableoox c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProofoo P nondiv’ a terequivP = 
nonDivBecomesStableBisimProof (forcep P) (forceND nondiv’) a terequivP 


nonDivBecomesStableBisimProof : {lu : LUniv}{c : Choice}(P : Process oo {lu} c ) 

(nondiv’ : NonDivergent P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalent a P) 

—)■ Bisimw (nonDivBecomeStablex c P nondiv’) (terminate a ) 
nonDivBecomesStableBisimProof (terminate a;) nondiv’ .x termeqterm 

= BismwRef (terminate x) 

nonDivBecomesStableBisimProof (node x) nondiv’ a 

(termeqnode terequivP) = 

nonDivBecomesStableBisimProof+ x nondiv’ a terequivP 


o 


-o 
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nonDivBecomesStableBisimProof+ : {lu : LUniv}{c : Choice} ( P : Process-!- oo {lu} c) 

(nondiv’ : NonDivergent+ P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalent+ a P) 

—> Bisimw (nonDivBecomeStable+i c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProof+ P (nondiv x (inji int )) a terequivP 

= nonDivBecomesStableBisimProofoo (PI P int) (x int) a 

(onlylntChoice terequivP int) 

nonDivBecomesStableBisimProof+ P (nondiv x (inj 2 stab)) a terequivP 

= eqterminater (termeqnode terequivP) 


mutual 

emptyTrPtoQImpliesEq : {lu : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

(PS’: stable P)(tr : TrP {lu} [] (inji P’) P) 

P= P’ 

emptyTrPtoQImpliesEq (terminate x) .(terminate x) pat (empty .x) = refl 
emptyTrPtoQImpliesEq (node x) .(node x) PS’ (tnode empty) = refl 
emptyTrPtoQImpliesEq (node Q) P’ PS’ 

(tnode (intc .[] .(inji P’) ^2)) = -L-elim (stabToNolnternal+ Q PS’ x 1) {-(PS 5 

emptyTrPtoQImpliesEq-!- : {lu : LUniv}{c : Choice}(F : Process+ 00 {lu} c)(P’: Process 00 {/ 

(PS’: stable-E P)(tr : TrP+ {lu} [] (inji P’) P) 

—> node P = P’ 

emptyTrPtoQImpliesEq-!- P P’ PS’ tr 

= emptyTrPtoQImpliesEq (node P) P’ PS’ (tnode tr) 


--OBEGINObisimPPWithEmptyTr 

mutual 

-- this is the 4th component of nonDivBecomeStable 
-- the statement we need is 

-- all .. exists P’. traceproerty(P’) /\ stableSch(P’) /\ P bisimilar to P’ 
-- The labelled lemma should contain this as well: 

-- but it should refer to stable and not stable sch 
-- stablesch is just an intermediate step 

-- the lemma is 


a 


o 
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-- all .. exists P’. traceproerty(P’) /\ stable(P’) /\ P bisimilar to P’ 

bisimPPWithEmptyTroo : {lu : LUniv}{c : Choice} 

( P P’ : Processoo oo {lu} c) 

(PP’ : Bisimwoo P P’) ( PS’ : stableoo P’) 

( nonDivP : NonDivergentoo P) 

( tr : TrPoo {lu} [] 

(inji (nonDivBecomeStableooi c P nonDivP)) P) 

—> Bisimw (nonDivBecomeStableooi c P nonDivP) 

(forcep P’) 

bisimPPWithEmptyTroo P P’ PP’ PS’ nonDivP tr = 

bisimPPWithEmptyTr (forcep P) (forcep P’) 

(forceB PP’) P 5 , ’(forceND nonDivP) tr 


bisimPPWithEmptyTr : {lu : LUniv}{c : Choice} 

(P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) ( PS’: stable P’) 

( nonDivP : Non Divergent P) 

(tr : TrP {lu} [] (inji 

(nonDivBecomeStablei {lu} c P nonDivP)) P) 

—> Bisimw (nonDivBecomeStablei {lu} c P nonDivP) P’ 
bisimPPWithEmptyTr {lu} {c} .(terminate x) (terminate xi) 

PP’ PS’ nonDivP (empty x) = PP’ 
bisimPPWithEmptyTr (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv nondivPI (inji %)) (tnode tr) = 
nonDivBecomesStableBisimProofoo (PI P x) 
(nondivPI x) a (onlylntChoice terequivP x) 
bisimPPWithEmptyTr (node P) (terminate x) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv x\ (inj 2 y)) (tnode tr) = 
eqterminater (termeqnode terequivP) 
bisimPPWithEmptyTr (terminate P) (node P’) PP’ PS’ nonDivP tr = 

PP’ 

bisimPPWithEmptyTr (node P) (node P’) (eqnode bisimPP’) PS’ 

(nondiv x chemptyornot) (tnode tr) = 
bisimPPWithEmptyTr+ P P’ bisimPP’ 

PS’ (nondiv x chemptyornot) tr 


a 
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bisimPPWithEmptyTr+ : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c ) 

(PP’ : Bisimw+ P P’) (PS’ : stable+ P’) 

(nonDivP : NonDivergent+ P ) 

( tr : TrP+ {lu} [] (inji 
(nonDivBecomeStable + 1 c P nonDivP )) P) 

—>• Bisimw (nonDivBecomeStable + 1 c P nonDivP ) 

(node P’) 

bisimPPWithEmptyTr+ {lu}{c} P P’ PP’ PS’ 

(nondiv nondiv’ (inji £1)) tr = PP’” 

where 

P’~ : Processoo oo {lu} c 
P’~ = bisimIP’ PP’ xi 

trP'P’~ : P’ [] ] (forcep (P’~)) 

trP’P’~ = bisimltr PP’ x\ 


P'=P’~ : node P’ = forcep P'~ {00} 

P'=P’~ = emptyTrPtoQlmpliesEq+ P’ 

(forcep P'~) PF’trP’P’" 

P’~=P’ : forcep P'~ {00} = node P’ 

P'~=P' rewrite P'=P'~ = refl 

P'~stable : stable (forcep P’~) 

P’~stable rewrite P’~=P’ = PS’ 

PP” : Bisimw (nonDivBecomeStable! c 

(forcep (PI P x 1)) (forceND (nondiv’ X])) ) 
(forcep P’~) 

PP” = bisimPPWithEmptyTr (forcep (PI P xi)) 

(forcep P'~ {00}) 

(forceB (bisimlnext PP’ x 1)) 

P'~stable (forceND (nondiv ’d)) 
(nonDivBecomeStable 2 c 
(forcep (PI P x 1)) (forceND (nondiv’ x 1))) 

PP’” : Bisimw (nonDivBecomeStableoo! c 

(PI P x 1) (nondiv’ xi)) (node P’) 


a 
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PP’” rewrite P’=P'~ = PP” 

bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y )) empty = eqnode PP’ 
bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y)) 

(into .[] (inji 

(node P)) Xi x 2 ) = eqnode PP’ 


--(SEND 


mutual 

choicesetornotBism : {i : Size}{/ii : LUniv}{c : Choice}(P P’ : Process-E oo {lu} c)(PP’ : E 

( cc ’: ChoiceSet (I P) l±J -i (ChoiceSet (I P ))) 

—> ChoiceSet (I P’) l±l -> (ChoiceSet (I P’)) 

choicesetornotBism {c} P P’ PP’ (inji ip) = inji ( bisi m 21 PP’ip) 
choicesetornotBism {c} P P’ PP’ (inj 2 notip) = inj 2 (X ip’ notip (bisim 2 lr PP’ ip’)) 


mutual 

nondivLemBisimsoo : {i : Siz e}{lu : LUniv}{c : Choice}(P P’: Processoo oo {lu} c) 

—)• Bisimsoo {z} P P’ 

—> NonDivergentoo {z} P —)■ NonDivergentoo {z} P’ 
forceND (nondivLemBisimsoo P P’ PP’ nP) = nondivLemBisims (forcep P) (forcep P’) (force 

nondivLemBisims : {i : Size}{/n : LUniv}{c : Choice}(i : ’ P ’: Process oo {lu} c) 

—> Bisims {z} P P’ 

—> NonDivergent jb} P — > NonDivergent {z} P’ 
nondivLemBisims .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 
nondivLemBisims .(node Q) .(node Q’) (eqnode {Q} {Q (} QQ’) nP = nondivLemBisims-!- Q 


nondivLemBisims-!- : {i : Size}{/?/ : LUniv}{c : Choice}(P P’ : Process-!- oo {lu} c) 


a 
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—» Bisims+ {z} P P’ 

—y NonDivergent+ {z} P —» NonDivergent+ {z} P’ 
nondivLemBisims+ P P’ PP’ (nondiv fp) = 
nondiv (X z —* nondivLemBisimscx) (PI P ( bisi m 21 r PP’ z)) (PI P’ i) (bisimlNextr PP’ i ) 
(/ (bisim 2 lr PP’ z)) ) (choicesetornotBism P P’ PP’ p) 


mutual 

divLemBisimsoo : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Processoo oo { lu } c) 

—» Bisimsoo {z} P P’ 

—)■ DivergentProcesscx) i c P —> DivergentProcesscx) z c P’ 
divLemBisimscx) P P’ PP’ nP .forcediv = divLemBisims (forcep P) (forcep P’) (forceB PP’) (forcediv 

divLemBisims : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Process oo {lu} c ) 

—> Bisims {z} P P’ 

—)■ DivergentProcess z c P —> DivergentProcess z c P’ 
divLemBisims .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 

divLemBisims .(node P) .(node P’) (eqnode {.P} {P’} PP’) (div P divP) = div P’ (divLemBisims+ l 


divLemBisims+ : {z : Size}{/?z : LUniv}{c : Choice}(P P ’: Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—> DivergentProcess+ z c P —> DivergentProcess+ i c P’ 
divLemBisims+ P P’ PP’ (div+ int Q ) = div+ ( bisi m 21 PP’ int) 

(divLemBisimsoo (PI Pint) (PI P’ (bisim 2 l PP’int)) (bisimlNext PP’ int) Q) 


mutual 

nondivLemBisimsoor : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—> Bisimsoo {z} P P’ 

NonDivergentoo {z} P’ —> NonDivergentoo {z} P 

forceND (nondivLemBisimsoor P P’ PP’ nP ) = nondivLemBisimsr (forcep P ) (forcep P’) (forceB 

nondivLemBisimsr : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—> Bisims {z} P P’ 

—> NonDivergent {z} P’ — > NonDivergent {z} P 
nondivLemBisimsr .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 

nondivLemBisimsr .(node Q) .(node Q’) (eqnode {Q} {Q’} QQ ’) nP = nondivLemBisims+r Q Q’ QQ 


a 
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nondivLemBisims+r : {z : Size}{/zz : LUniv}{c : Choice}(P P ’: Process+ oo { lu } c) 

-» Bisims+ {z} P P’ 

—» NonDivergent+ {z} P’ —» NonDivergent+ {z} P 
nondivLemBisims+r P P’ PP’ (nondiv f p) = 

nondiv (X z —» nondivLemBisimsoor (PI P i ) ((PI P’ (bisim 2 l PP’ z))) (bisimlNext PP 
(/ ( bisi m 21 PP’ z))) (swapChoiceSetssr P P’ PP’ p) 


mutual 

divLemBisimsoor : {z : Siz e}{lu : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c ) 

—>• Bisimsoo {z} P P’ 

—> DivergentProcesscxa z c P’ —*■ DivergentProcesscx) i c P 
divLemBisimsoor {z} P P’ PP’ nP .forcediv = divLemBisimsr (forcep P) (forcep P’) (forceB j 

divLemBisimsr : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c ) 

—> Bisims {z} P P’ 

—> DivergentProcess z c P’ —>• DivergentProcess i c P 

divLemBisimsr .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 

divLemBisimsr .(node P’) .(node P) (eqnode {P’} {.P} PP’) (div P divP ) = div P’ (divLemE 


divLemBisims+r : {z : Size}{/?z : LUniv}{c : Choice}(P P ’: Process+ oo {lu} c ) 

—> Bisims+ {z} P P’ 

—> DivergentProcess+ icPA DivergentProcess+ z c P 
divLemBisims+r P P’ PP’ (div+ znt Q) = div+ ((bisim 2 lr PP’ int)) 

((divLemBisimsoor (PI P ((bisim 2 lr PP ; znt))) (PI P’ int) 


mutual 

stabLemBisimsoo : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—)■ Bisimsoo P P’ 

—>• stableoo P J —> stableoo P 

stabLemBisimsoo P P’ PP’ PS’ = stabLemBisims (forcep P) (forcep P’) (forceB PP’) PS’ 

stabLemBisims : {z : Size}{/zz : LUniv}{c : Choice}(P P’: Process oo {lu} c) 

—> Bisims P P’ 

—y stable P’ — > stable P 

stabLemBisims .(terminate a) .(terminate a) (eqterminate {a}) PS’ = PS’ 


a 
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stabLemBisims .(node P) .(node P’) (eqnode {P} { P ’} PP’) PS ’ = stabLemBisims+ P P’ PP’ PS’ 


stabLemBisims+ : {i : Size}{/v : LUniv}{c : Choice}(P P’ : Process+ oo { lu } c) 

—> Bisims+ {i} P P’ 

—> stable+ P’ — y stable+ P 

stabLemBisims+ P P’ PP’ (Pnol ,, PNoTick ) = (X int —> Pnol ( bisi m 21 PP’ int)) „ (X t — > PNoTic, 


mutual 

divergentlmpliesl\lotTermEquiv+ : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c ) 

(a : ChoiceSet c) 

(terP : TerminateEquivalent+ a P) 

(divP : DivergentProcess+ oo {lu} c P ) 

->■ A 

divergentlmpliesNotTermEquiv+ c P a terequivP (div+ int divP ) = 

divergentlmpliesNotTermEquivoo c (PI P int) a (onlylntChoice terequivP int ) div. 

divergentlmpliesNotTermEquivoo : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(a : ChoiceSet c) 

( terP : TerminateEquivalentoo a P ) 

(divP : DivergentProcessoo oo {lu} c P ) 

->■ A 

divergentlmpliesNotTermEquivoo c P a terP divP = divergentlmpliesNotTermEquiv c (forcep P) a ter 


divergentlmpliesNotTermEquiv : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c ) 

(a : ChoiceSet c) 

(terP : TerminateEquivalent a P) 

(divP : DivergentProcess oo {lu} c P ) 

->• A 

divergentlmpliesNotTermEquiv c .(node P) a (termeqnode terequivP ) (div P divP) = 

divergentlmpliesNotTermEquiv+ c P a terequi 


a 
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mutual 

bisimlmpliesDivergentPreservoo : { lu : LUniv}(c : Choice) (P P’ : Processoo oo { lu } c) 
(PP’ : Bisimwoo {00} P P’) 

(divP : DivergentProcessoo 00 {lu} c P) 

—> DivergentProcessoo 00 {lu} c P’ 
forcediv (bisimlmpliesDivergentPreservoo c P P’ PP’ divP ) = 

bisimlmpliesDivergentPreserv c (forcep P) (forcep P’) (forceB PP’) 

(forcediv divP) 


bisimlmpliesDivergentPreserv+ : {lu : LUniv}(c : Choice) (P P’ : Process- 1 - 00 {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

(divP : DivergentProcess+ 00 {lu} c P) 

—» DivergentProcess+ 00 {lu} c P’ 
bisimlmpliesDivergentPreserv+ c P P’ PP’ divP = bisimdiv PP’ divP 

--@BEGIN@bisimImpliesDivergentPreserv 

bisimlmpliesDivergentPreserv : {lu : LUniv}(c : Choice) 

(P P’ : Process 00 {lu} c) 

(PP’ : Bisimw {00} P P’) 

(divP : DivergentProcess 00 {lu} c P) 

—> DivergentProcess 00 {lu} c P’ 
bisimlmpliesDivergentPreserv c .(terminate _) P’ (eqterminate x) () 
bisimlmpliesDivergentPreserv c .(node P) .(terminate a) (eqterminater {a} 

{.(node P)} (termeqnode terequivP)) (div P divP) 

= _L-elim (divergentlmpliesNotTermEquiv+ c P a terequivP divP) 
bisimlmpliesDivergentPreserv c .(node P) .(node P’) (eqnode {.P} {P’} PP’) 

(div P divP) 

= div P’ (bisimlmpliesDivergentPreserv+ c P P’ PP’ divP) 


--(SEND 


mutual 

bisimStablelmpliesNotDivergentoo’ : {lu : LUniv}(c : Choice) (P P ’: Processoo 00 {lu} 

(PP’: Bisimwoo P P’) 

(PS’: stableoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentoo’ c P P’ PP’ PS’) = 

bisimStablelmpliesNotDivergent’ c (forcep P) 


o 
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(forcep P’) (forceB PP’) PS’ 


bisimStablelmpliesNotDivergent’ : {lu : LUniv}(c : Choice) {P P’ : Process oo { lu } c) 

( PP’ : Bisimw P P’) 

{PS’ : stable P’) 

—>• NonDivergent P 

bisimStablelmpliesNotDivergent’ c (terminate x) P’ PP’ PS’ = tt 
bisimStablelmpliesNotDivergent’ c (node P) .(terminate a) 

(eqterminater {a} terequiv ) PS’ = 
TerlmpliesNotDivergentaux c (node P ) a terequiv 
bisimStablelmpliesNotDivergent’ c (node P) .(node P’) 

(eqnode {.P} {P’} PP’) PS’ = 
bisimStablelmpliesNotDivergent+' c P P’ PP’ PS’ 

bisimStablelmpliesNotDivergent+’ : {lu : LUniv}(c : Choice) {P P’: Process+ oo {lu} c) 

{PP’ : Bisimw+ P P’) {PS’ : stable+ P’) 

—> NonDivergent+ P 

bisimStablelmpliesNotDivergent+' c P P’ PP’ PS’ = 

nondiv+r PP’ (nondiv (X i —> _L-elim (stabToNolnternal+ P’ PS’ i )) (inj 2 (s 


lemBisimDRefusalAux : {lu : LUniv}(c : Choice) 

{x : ChoiceSet c) 

{P : Process+ oo {lu} c ) 

{hasTauorTickNoTau : ChoiceSet (I P) l±J (-> (ChoiceSet (I P )) x Choic 
{PS : ChoiceSet (I P) —> A) 

—> ChoiceSet (T P ) 

lemBisimDRefusalAux c x P (inji x\) PS = _L-elim {PS a;i) 
lemBisimDRefusalAux c x P (inj 2 (_ ,, £1)) PS = x\ 


mutual 

bisimDRefusal+ : {lu : LUniv}{c : Choice} {P : Process+ 00 {lu} c) {P ’: Process+ 00 {lu} c) 

{PS : stable+ P) 

{PP’ : Bisimw+ {00} P P’) 

{X : Label lu —> Bool) 

{isRoscoe : Bool) 

{ref: DRefusal+ P isRoscoe X) 


a 
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—>■ DRefusal+ P’ isRoscoe X 

bisimDRefusal+ {c} P P’ PS PP’ X isRoscoe (drefusal noextChlnX noTerm ) = 
drefusal (bisimDRefusal+NoExtChlnX P P’ PS PP’ X noextChlnX) 

(bisimDRefusalNoTicksIflsRoscoe P P’ PS PP’ isRoscoe noTerm) 


bisimDRefusalNoTicksIflsRoscoe : {lu : LUniv}{c : Choice} (P : Process+ oo { lu } c) 

(P’ : Process+ oo {lu} c ) 

(PS : stable+ P) 

(PP’ : Bisimw+ {00} P P’) 

(isRoscoe : Bool) 

(ref: NoTicksIflsRoscoe P isRoscoe) 

—)■ NoTicksIflsRoscoe P’ isRoscoe 

bisimDRefusalNoTicksIflsRoscoe {lu} {c} P P’ PS PP’ isRoscoe ref ticklslncl x = 

ref ticklslncl (lem c P (PT P’ x) p 

where 

path : TrP+ {lu} [] (inj 2 (PT P’ x)) P 
path = bisimTtrr PP’ x 


lem : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c)(x : ChoiceSet c) 

(tr : TrP+ {lu} [] (inj 2 x) P) 

(PS : stable+ P) — > ChoiceSet (T P) 
lem c P x (intc .[] .( inj 2 x) x’ X2) PS = _L-elim (stabToNolnternal+ P PS x’) 
lem c P .(PT P xi) (terc xf) PS = x x 


bisimDRefusal+NoExtChlnX : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c) 

(P’ : Process+ 00 {lu} c) 

(PS : stable+ P) 

(PP’ : Bisimw+ {00} P P’) 

(X : Label lu —> Bool) 

(ref: NoExtChlnX P X) 

NoExtChlnX P’ X 

bisimDRefusal+NoExtChlnX {lu}{c} P P’ PS PP’ X ref e x = Iem 2 c P Q (Lab P’ e) tr 
where 

Q : Process 00 {lu} c 
Q = forcep (PP’ .bisimEP’r e) 


o 


tr : TrP+ {lu} (Lab P’ e :: []) (inji Q) P 
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tr = PP’ .bisimEtrr e 

Iem 2 : {lu : LUniv}(c : Choice)(P : Process+ oo {lu } c){Q : Process oo { lu } c) 

( l : Label lu)(tr : TrP+ {lu} {l :: []) (injx Q) P ) 

{PS : stable+ P){X : Label lu — > Bool )(re/: NoExtChlnX P X){labX : True (A l)) — > A 
Iem 2 c P Q .(Lab P x) (extc .[] .(inji Q) x x\) PS X ref labX = ref x labX 
Iem 2 c P Q l (intc .{l :: []) . ( inj x Q ) x £1) PS X ref labX = stabToNolnternal+ P PS x 


bisimDRefusal : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c ) (P’ : Process oo {lu} c ) 

{PS : stable P) 

{PP’ : Bisimw {00} P P’) 

{X : Label lu — > Bool) 

{isRoscoe : Bool) 

{ref: DRefusal P isRoscoe X) 

—> DRefusal P’ isRoscoe X 

bisimDRefusal (terminate x) (terminate x\) PS PP' X isRoscoe ref ticklncl = ref ticklncl 
bisimDRefusal (terminate x) (node Q ) PS (eqterminate (termeqnode terequivP )) X isRoscc 

drefusal (X e —> _L-elim (noExtChoice terequivP e))(A t —> _L-elim ( 
bisimDRefusal {lu}{c} (node P) (terminate x) PS 

(eqterminater (termeqnode terequivP )) X isRoscoe (drefusal noextChlnX noTerm ) ticklnc 

= noTerm ticklnc (lemBisimDRefusalAux c x P (hasTauOrTickNoTau terequivP) (stabToNc 
bisimDRefusal (node P ) (node P’) PS (eqnode bisimQQ’) X isRoscoe ref = 

bisimDRefusal+ P P’ PS bisimQQ’ J 


mutual 

lemmaxxxx : {lu : LUniv}{c : Choice} — > {result : Process 00 {lu} c l±J ChoiceSet c) 

—> {Q : Process 00 {lu} c ) 

—>■ {divQ : DivergentProcess 00 {lu} c Q) 

—> BisimForNextP result (inji Q) 

—> Process 00 {lu} c 

lemmaxxxx (injx Q’) Q divQ BisimResultQ = Q’ 

lemmaxxxx (inj 2 y) Q divQ BisimResultQ = A-elim (lemmaDivNotTermequiv Q divQ y BisimResu 1 

lemmaxxx 2 : {lu : LUniv}{c : Choice} — > {result : Process 00 {lu} c l±l ChoiceSet c) 

—>• {l : List (Label lu)){P : Process 00 {lu} c){Q : Process 00 {lu} c ) 

—> {divQ : DivergentProcess 00 {lu} c Q) 

—> {bisimForNext : BisimForNextP result (inji Q)) 

—>• (trp : TrP {lu} l result P) 


o- 


o 
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—>■ TrP {lu} l (inji (lemmaxxxi result Q divQ bisimForNext)) P 
lemmaxxx 2 (inji %) IP Q divQ bisimForNext trp = trp 

lemmaxxx 2 (inj 2 y) l P Q divQ bisimForNext trp = _L-elim (lemmaDivNotTermequiv Q div 


lemmaxxx 2 + : {lu : LUniv}{c : Choice} —> ( result : Process oo {lu} c l±J ChoiceSet c) 

—> ( l : List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—» (divQ : DivergentProcess oo {lu} c Q) 

—» (bisimForNext : BisimForNextP result (inji Q)) 

—» ( trp+ : TrP+ {lu} l result P ) 

—>■ TrP+ {lu} l (inji (lemmaxxxi result Q divQ bisimForNext)) P 
lemmaxxx 2 + (inji x) l P Q divQ bisimForNext trp+ = trp-h 

lemmaxxx 2 + (inj 2 y) l P Q divQ bisimForNext trp+ = _L-elim (lemmaDivNotTermequiv Q 

lemmaxxx 3 : {lu : LUniv}{c : Choice} —( result : Process oo {lu} c l±J Choice!: 

—> ( l : List (Label lu))(Q : Process oo {lu} c) 

—> (divQ : DivergentProcess oo {lu} c Q) 

—> (bisimForNext : BisimForNextP result (inji Q)) 

— Bisimw (lemmaxxxi result Q divQ bisimForNext) Q 
Iemmaxxx3 (inji Q’) l Q divQ bisimForNext = bisimForNext 

lemmaxxx 3 (inj 2 y) l Q divQ bisimForNext = _L-elim (lemmaDivNotTermequiv Q divQ y bi 


mutual 

lemmayyyi : {lu : LUniv}{c : Choice} —>- ( result : Process oo {lu} c l±J ChoiceSet 

—» (Q : Process oo {lu} c) 

—> (stab : stable Q) 

—> ( X : Label lu —> Bool) 

—>■ DRefusal {lu}{c} Q true X 

—>■ BisimForNextP result (inji Q) 

—)■ Process oo {lu} c 

lemmayyyi (inji Q’) Q stab X x X\ = Q’ 

lemmayyyi (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 

lemmayyyi+ : {lu : LUniv}{c : Choice} —>■ ( result : Process oo {lu} c l±l Choice!: 

—> (Q : Process oo {lu} c) 

—> (stab : stable Q) 


o 


-o 
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—>■ (A : Label lu —>■ Bool) 

—» DRefusal {fu}{c} Q true X 

—> BisimForNextP result (inji Q) 

—> Process oo {lu} c 

lemmayyyi+ (inji Q’) Q stab X x x\ = Q’ 

lemmayyyi+ (inj2 y ) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 

lemmayyy 2 : {lu : LUniv}{c : Choice} —>• ( result : Process oo {lu} c l±l ChoiceSet c) 

—> (l : List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c) 

—y (stab : stable Q ) 

—> (X : Label lu — y Bool) 

— y (dref: DRefusal {lu}{c} Q true X) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP {lu} l result P 

—y TrP {lu} l (inji (lemmayyyi result Q stab X dref bisim)) P 

lemmayyy 2 (inji Q’) / P Q stab X dref bisim tr = tr 

lemmayyy 2 (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 2 + : {lu : LUniv}{c : Choice} — )• ( result : Process oo {lu} c l±) ChoiceSet c) 

—>• (l : List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

— y ( stab+ : stable Q) 

—> (X : Label lu —> Bool) 

— y (dref: DRefusal {lu}{c} Q true X) 

—> (bisim : BisimForNextP result (inji Q)) 

—y TrP+ {lu} l result P 

—y TrP+ {lu} l (inji (lemmayyyi result Q stab+ X dref bisim)) P 
lemmayyy 2 + (inji Q’) l P Q stab X dref bisim tr = tr 

lemmayyy 2 + (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 3 : {lu : LUniv}{c : Choice} — > (result : Process oo {lu} c l±J ChoiceSet c) 

—> (Q : Process oo {lu} c) 

—>• (stab : stable Q) 

—y (X : Label lu —> Bool) 

—> (dref: DRefusal {lu}{c} Q true X) 

—> (bisim : BisimForNextP result (inji Q)) 


a 


o 




356 


A. 8 . bisimilarityProofsWithSchneiderStable 2 .agda 

o-o 


—>■ Bisimw (lemmayyyi result Q stab X dref bisim) Q 

lemmayyy 3 (i nj 3 Q’) Q stab X dref bisim = bisim 

lemmayyy 3 (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemEqList : {A : Set}(Z : List A) —> l ++ [] = l 
lemEqList [] = refl 

lemEqList (x :: l ) = cong (X V -> x :: T) (lemEqList l) 

stableNotTerminateEquivaux : {lu : LUniv}{c : Choice} ( P : Process+ oo {lu} c) 

(x : ChoiceSet c) 

( hasTauOrTickNoTau : ChoiceSet (I P) l±l 
(-■ (ChoiceSet (I P)) x ChoiceSet (T P))) 

( stabSch : stableSch+ P) 

( notick : noTicklfRoscoe+ true P) 

->■ _L 

stableNotTerminateEquivaux P x (inji int ) stabSch notick = stabSch int 
stableNotTerminateEquivaux P x (inj 2 ( noint ,, tick)) stabSch notick = notick tick 

stableNotTerminateEquiv : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(x : ChoiceSet c) 

( terequiv : TerminateEquivalent x P) 

( stab : stable P) 

->• JL 

stableNotTerminateEquiv (terminate x) X\ terequiv stab = stab _ 
stableNotTerminateEquiv (node P) x (termeqnode terequivP) ( stabSch „ notick) 

= stableNotTerminateEquivaux P x (hasTauOrTickNoTau terequivP) stabSch notick 

noIntNoTerlmpliesNoTermTrace : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c) 

(x : ChoiceSet c) 

(tr : TrP+ [] (inj 2 x) P) 

(noint : -i (ChoiceSet (I P))) 

( noTer : -> (ChoiceSet (T P))) 

_L 

noIntNoTerlmpliesNoTermTrace P x (intc .[] . ( inj 2 x) int x 2 ) noint noTer = noint int 
noIntNoTerlmpliesNoTermTrace P .(PT P ter’) (terc ter’) noint noTer = noTer ter’ 


<y 


-o 
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mutual 

bisimwStableToNoTick : { lu : LUniv}{c : Choice} ( P : Process oo {lu } c) 

(P’ : Process oo {lu} c) 

(PP’ : Bisimw {00} P P’) 

(stabP’ : stable P’) 

(stabSchP : stableSch P) 

—> noTicklfRoscoe true P 

bisimwStableToNoTick (terminate x) P’ (eqterminate terequiv ) stabP’ stabSchP = 

stableNotTerminateEquiv P’ x tereqm 
bisimwStableToNoTick (terminate x) .(terminate _) (eqterminater terequiv) stabP’ stabSchP = stabP 
bisimwStableToNoTick (node P) (terminate x) PP’ stabP’ stabSchP t = stabP’ 
bisimwStableToNoTick (node P) (node P’) (eqnode PP’) (noint ,, noterP’) noterP ter’ 

= noIntNoTerlmpliesNoTermTrace P’ (PT P ter’) (bisimTtr PP’ ter’) noint noterP’ 


mutual 

--@BEGIN@bisimRefusalros 

bisimRefusalros : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) 

(P’ : Process 00 {lu} c) 

(PP’: Bisimw {00} P P’) (l : List (Label lu)) 

(X : Label lu — > Bool) 

(fail : failure P’ l true X) 

—y failure P l true X 
bisimRefusalros {lu}{c} P P’ PP’ l X 
(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos 2 StablePar Qhat true stabSchQhat stabNoTick ) 
drefusehat)) 

where 

Qcom : Process 00 {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPi P P’ PP’ l (inj x Q’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPi P P’ PP’ l 

(inji Q’) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) tr’ 


O- 


QQ’com : BisimForNextP (bisimTraceTrPx P P’ PP’l 
(inji Q’) tr’) (inji Q’) 


O 
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QQ'com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) tr’ 

Q : Process oo { lu } c 

Q = lemmayyy! Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP {lu} l (inji Q) P 

tr = lemmayyy 2 Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ' = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process oo {lu} c 

Qhat = nonDivBecomeStablex c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

QhatQ' : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTr Q Q’ QQ' stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 Sch c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ’ stab ’ stabSchQhat 

trhati : TrP {lu} ( l ++ []) (inji Qhat) P 

trhati = trPAppendTrw c P Q l [] (inji Qhat) tr trhat 

eql: (/H —b [] ) = l 

eql = lemEqList l 


trhat 2 


a 


: TrP {lu} l (inji Qhat) P 


-o 
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trhat 2 = subst (X V —» TrP { lu } l’ (inji Qhat) P ) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A true drefuse’ 


bisimRefusalros {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp)) 


where 


Qcom : Process oo {lu} c l±l ChoiceSet c 

Qcom = bisimTraceTrPi P P’ PP’ l (inji Q’) trp’ 


trcom : TrP {lu} l (bisimTraceTrP! P P’ PP’ l (inji Q’) trp’) P 
trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q ’) trp’ 


QQ’com : BisimForNextP 

(bisimTraceTrP! P P’ PP’ l ( inj x Q’) trp’) (inji Q’) 
QQ’com = bisimTraceTrP 3 P P’PP’l (inj x Q’) trp’ 


Q : Process oo {lu} c 
Q = lemmaxxxi Qcom Q’ divq’ QQ’c om 


tr : TrP {lu} l (inji Q) P 

tr = lemmaxxx 2 Qcom l P Q’ divq’ QQ’com trcom 


QQ’ : Bisimw Q Q’ 

QQ’ = lemmaxxx 3 Qcom l Q’ divq’ QQ’com 

Q’Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ’ 

divp : DivergentProcess oo {lu} c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q'Q divq’ 


--(SEND 


--@BEGIN@bisimRefusalrosplus 

mutual 


a 


o 




360 


A.8. bisimilarityProofsWithSchneiderStable2.agda 

o-o 


bisimRefusalros+ : {lu : LUniv}{c : Choice} ( P : Process+ oo { lu } c) 

(P’ : Process+ oo {lu} c ) 

(PP’ : Bisimw+ {00} P P’) 

( l : List (Label lu)) 

(X : Label lu — > Bool) 

(fail : failure+ P’ l true X) 

—> failure+ P l true X 
bisimRefusalros+ { lu}{c } P P’ PP’ l X 

(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos2StablePar Qhat true stabSchQhat stabNoTick) dref 

where 

Qcom : Process 00 {lu} c l±l ChoiceSet c 

Qcom = bisimTraceTrPi+ P P’ PP’ l (inji Q’) tr’ 

trcom : TrP+ l (bisimTraceTrPi+ P P’ PP’ l (inji Q’) tr’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) tr’ 

QQ'com : BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l (inji Q’) tr’) (inji Q’) 

QQ'com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) tr’ 

Q : Process 00 {lu} c 

Q = lemmayyy! Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP+ {lu} l (inji Q) P 

tr = lemmayyy 2 + Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ' = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ’com 

Qhat : Process 00 {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 

(stablelmpliesNonDiv Q’ stab’)) 


trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


o 


-o 
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QhatQ' : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 


stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 Sch c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ’ stab’ stabSchQhat 


trhati : TrP+ { lu } ( l ++ []) (inji Qhat) P 

trhati = trPAppendTrw+ c P Q l [] (inji Qhat) tr trhat 

eql: (l -\—F [] ) = l 

eql = lemEqList l 

trhat 2 : TrP+ {lu} l (inji Qhat) P 

trhat 2 = subst (X l’ —» TrP+ {lu} l’ (inji Qhat) P) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A true drefuse’ 


bisimRefusalros+ {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp) ) 


where 

Qcom : Process oo {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPi+ {lu} P P’ PP’ l (inji Q’) trp’ 


trcom : TrP+ {lu} l (bisimTraceTrPi+ P P’ PP’ l (inji Q’) trp’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) trp’ 


QQ’com : BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l (inji Q’) trp’) (inji Q’) 


a 


o 
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QQ'com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) trp’ 

Q : Process oo { lu } c 
Q = lemmaxxx! Qcom Q’ divq’ QQ'com 


tr : TrP+ {lu} l (inji Q) P 

tr = lemmaxxx 2 + Qcom l P Q’ divq’ QQ’com trcom 
QQ' : Bisimw Q Q’ 

QQ' = lemmaxxx 3 Qcom l Q’ divq’ QQ'com 

Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ' 

divp : DivergentProcess oo {lu} c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q’Q divq’ 


--@END 


--@BEGIN@bisimImFdiTwo 

bisimlmFDI 2 : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c ) 

( P ’: Process oo {lu} c ) 

(PP’: Bisimw {00} P P’) 

—* P Cfdi 2 ros P’ 

bisimlmFDI 2 P P’ PP’ = bisimRefusalros P P’ PP’ 

bisimlmFDI 2 r : {lu : LUniv}{c : Choice} ( P : Process 00 {lu} c) 

(P’ : Process 00 {lu} c ) 

(PP’: Bisimw {00} P P’) 

—> P’ Cfdi 2 ros P 

bisimlmFDI 2 r {lu}{c} P P’ PP’ = bisimlmFDI 2 P’ P (BismwSym P P’ PP’) 


--@END 


bisimlmFDI 2 + : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c ) 

(P’: Process+ 00 {lu} c) 

(PP’ : Bisimw+ {00} P P’) 

-)• P Cfdi 2 ros+ P’ 


o- 


-o 
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bisimlmFDI 2 + {lu}{c} P P’ PP’ = bisimRefusalros+ P P’ PP’ 

bisimlmFDI 2 r+ : {lu : LUniv}{c : Choice} (P : Process+ oo { lu } c) 

(P’: Process+ oo {lu} c ) 

( PP’ : Bisimw+ {00} P P’) 

—y P’ Cfdi 2 ros+ P 

bisimlmFDI 2 r+ { lu}{c } P P’ PP’ — bisimlmFDI 2 + P’ P (BismwSym+ P P’ PP’) 


A.9 bisimilarityProofsWithSchneiderStable3.agda 
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nondivImpliesIPornotIP : {lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 

(nondiv : NonDivergent+ P) 

—* ChoiceSet (I P) l±l -i (ChoiceSet (I P)) 
nondivImpliesIPornotIP {c} P 

(nondiv _ chemptyornot ) = chemptyornot 


mutual 

swapChoiceSets : {lu : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

(nondiv : NonDivergent+ P) 

—» ChoiceSet (I P’) l±) -1 (ChoiceSet (I P’)) 
swapChoiceSets {c} P P’ PP’ nond 
= nondivImpliesIPornotIP P’ (nondiv+ PP’ nond ) 


mutual 

stablelmpliesNonDivoo : {lu : LUniv}{c : Choice}(i 3 : Processoo 00 {lu} c ) 

(PS : stableoo P) —>■ NonDivergentoo P 
forceND (stablelmpliesNonDivoo P PS) = stablelmpliesNonDiv (forcep P) PS 

stablelmpliesNonDiv : {lu : LUniv}{c : Choice}(P : Process 00 {lu} c ) 

(PS : stable P) 

—* NonDivergent P 

stablelmpliesNonDiv (terminate x) PS = tt 
stablelmpliesNonDiv (node x) PS = stablelmpliesNonDiv+ x PS 

stablelmpliesNonDiv+ : {lu : LUniv}{c : Choice}(P : Process+ 00 {lu} c ) 

(PS : stable+ P) —>• NonDivergent+ P 
stablelmpliesNonDiv+ P PS = nondiv 

(stablelmpliesNonDiv+aux P PS) (inj 2 (stabToNolnternal+ P PS)) 

stablelmpliesNonDiv+aux : {lu : LUniv}{c : Choice}(P : Process+ 00 {lu} c) 

(PS : stable+ P)(i : ChoiceSet (I P)) 

—> NonDivergentoo (PI P i) 

stablelmpliesNonDiv+aux P PS i = _L-elim (stabToNolnternal+ P PS i) 


<y 


-o 
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mutual 

TerlmpliesNotDivergentaux+ : {lu : LUniv}(c : Choice)(P : Process+ oo {lu } c) 

(a : ChoiceSet c) 

( terequiv : TerminateEquivalent+ a P ) 

—> NonDivergent+ P 
TerlmpliesNotDivergentaux+ c P a terequiv = nondiv 

(X i —> TerlmpliesNotDivergentauxoo c 
(PI P i) a (onlylntChoice terequiv i)) 

(hasTauOrNotTau terequiv) 

TerlmpliesNotDivergentaux : {lu : LUniv}(c : Choice)(P : Process oo {lu} c ) 

(a : ChoiceSet c) 

( terequiv : TerminateEquivalent a P) 

—> Non Divergent P 

TerlmpliesNotDivergentaux c (terminate x) a terequiv = tt 
TerlmpliesNotDivergentaux c (node x ) a (termeqnode terequivP ) 

= TerlmpliesNotDivergentaux+ c x a terequivP 

TerlmpliesNotDivergentauxoo : {lu : LUniv}(c : Choice)(P : Processoo oo {lu} c ) 

(a : ChoiceSet c) 

( terequiv : TerminateEquivalent a (forcep P )) 

—± NonDivergentoo P 

forceND (TerlmpliesNotDivergentauxoo c P a terequiv) 

= TerlmpliesNotDivergentaux c (forcep P) a terequiv 


--@BEGIN@bisimStableImpliesNotDivergent 

mutual 

bisimStablelmpliesNotDivergentoo : {lu : LUniv}(c : Choice) 

(P P ’: Processoo oo {lu} c) 

(PP’ : Bisimwoo P P} 

(PS’: stableoo P’) 

( nonDivP’ : NonDivergentoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentoo c P P’ PP’ PS’ nonDivP’) 

= bisimStablelmpliesNotDivergent c (forcep P) 

(forcep P’) 

(forceB PP’) 


a 


o 
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PS’ (forceND nonDivP’) 

bisimStablelmpliesNotDivergent : {lu : LUniv}(c : Choice) 

(P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) 

(PS’ : stable P’) 

( nonDivP ’ : Non Divergent P ’) 
NonDivergent P 

bisimStablelmpliesNotDivergent c (terminate x) P’ PP’ PS’ nonDivP’ = tt 
bisimStablelmpliesNotDivergent c (node P) (terminate a) 

(eqterminater (termeqnode terequivP )) 

PS’ nonDivP’ — 

TerlmpliesNotDivergentaux c (node P ) 
a ((termeqnode terequivP)) 

bisimStablelmpliesNotDivergent c (node P) (node P’) (eqnode PP’) PS’ 

nonDivP’ = bisimStablelmpliesNotDivergent+ 

cP P’ PP’ PS’ nonDivP’ 


bisimStablelmpliesNotDivergent+ : {lu : LUniv}(c : Choice) 

(P P’ : Process+ oo {lu} c) 

(PP’ : Bisimw+ P P’) 

(PS’: stable+ P’) 

(nonDivP’ : NonDivergent+ P’) 

—)• NonDivergent+ P 

bisimStablelmpliesNotDivergent+ c P P’ PP’ PS’ nonDivP’ 

= nondiv+r PP’ nonDivP’ 


--(SEND 


--@BEGIN@nonDivBecomeStable 
mutual 

nonDivBecomeStableoo! : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) 

(nonDivP : NonDivergentoo P) 

—> Process oo {lu} c 

nonDivBecomeStableooi c P nonDivP = nonDivBecomeStablei 

c (forcep P) (forceND nonDivP) 


o 


-o 
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nonDivBecomeStableoo2 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) 

( nonDivP : NonDivergentoo P) 

—> TrPoo {lu} [](inj! 

(nonDivBecomeStableooi c P nonDivP )) P 
nonDivBecomeStableoo 2 c P nonDivP = nonDivBecomeStable 2 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo 3 : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c) 

( nonDivP : NonDivergentoo P) 

—>■ stableSch (nonDivBecomeStableooi 

c P nonDivP) 

nonDivBecomeStableoo 3 c P nonDivP = nonDivBecomeStable 3 

c (forcep P) (forceND nonDivP) 

nonDivBecomeStable+i : {fot : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P) 

—> Process oo {fu} c 

nonDivBecomeStable+i c P (nondiv x (inj^ int)) = 

nonDivBecomeStableooi 
c (PI P int) ( x int) 

nonDivBecomeStable + 1 c P (nondiv x (inj 2 stab)) = node P 

nonDivBecomeStable + 2 : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P) 

->• TrP+ {lu} [] (inj x 

(nonDivBecomeStable+i c P nonDivP)) P 
nonDivBecomeStable + 2 c P (nondiv x (inji int)) = intc [] (inji 

(nonDivBecomeStable+i c P 
(nondiv x (inji Int)))) Int 
(nonDivBecomeStableoo 2 c 

(PI P int) (x int)) 

nonDivBecomeStable + 2 c P (nondiv x (inj 2 stab)) = empty 

nonDivBecomeStable + 3 : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

(nonDivP : NonDivergent+ P) 

—> stableSch -- stable 


a 


e> 
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(nonDivBecomeStable+i c P nonDivP ) 
nonDivBecomeStable+3 c P (nondiv x (injx int )) = 

nonDivBecorneStableoo 3 c 

(PIP int ) (x int ) 

nonDivBecomeStable+3 c P (nondiv x (inj 2 stab)) = stab -- ,, {!stab!> -- stab 

nonDivBecomeStablei : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

( nonDivP : NonDivergent P) 

—>■ Process oo {lu} c 

nonDivBecomeStablei c (terminate x) nonDivP = terminate x 
nonDivBecomeStablei c (node x) nonDivP = 

nonDivBecomeStable+x c x nonDivP 

nonDivBecomeStable 2 : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

( nonDivP : NonDivergent P) 

TrP {lu} [] (inji 

(nonDivBecomeStablei c P nonDivP )) P 
nonDivBecomeStable 2 c (terminate x) nonDivP = empty x 
nonDivBecomeStable 2 c (node x) nonDivP 

= tnode (nonDivBecomeStable + 2 c x nonDivP ) 

nonDivBecomeStable 3 : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c ) 

( nonDivP : NonDivergent P) 

—» stableSch (nonDivBecomeStablei c P nonDivP ) 
nonDivBecomeStable 3 c (terminate a;) nonDivP = _ 

nonDivBecomeStable 3 c (node a:) nonDivP = nonDivBecomeStable + 3 c a: nonDivP -- 


--(SEND 


mutual 

nonDivBecomesStableBisimProofoo : {/u : LUniv}{c : Choice}(P : Processoo oo {lu} c ) 

( nondiv’ : NonDivergentoo P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalentoo a P) 


o 


-o 
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—> Bisimw (nonDivBecomeStableooi c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProofoo P nondiv’ a terequivP = 
nonDivBecomesStableBisimProof (forcep P) (forceND nondiv’) a terequivP 


nonDivBecomesStableBisimProof : {lu : LUniv}{c : Choice}(P : Process oo { lu } c) 

[nondiv’ : Non Divergent P) 

(a : ChoiceSet c) 

( terequivP : TerminateEquivalent a P) 

—)■ Bisimw (nonDivBecomeStablei c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProof (terminate x) nondiv’ .x termeqterm 

= BismwRef (terminate x) 

nonDivBecomesStableBisimProof (node x) nondiv’ a 

(termeqnode terequivP ) = 

nonDivBecomesStableBisimProof+ x nondiv’ a terequivP 

nonDivBecomesStableBisimProof+ : {lu : LUniv}{c : Choice} ( P : Process+ oo {lu} c ) 

( nondiv’ : NonDivergent+ P) 

(a : ChoiceSet c) 

( terequivP : TerminateEquivalent+ a P) 

—>• Bisimw (nonDivBecomeStable+i c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProof+ P (nondiv x (inji int)) a terequivP 
= nonDivBecomesStableBisimProofoo (PI P int) (x int) a 

(onlylntChoice terequivP int) 
nonDivBecomesStableBisimProof+ P (nondiv x (inj 2 stab)) a terequivP 

= eqterminater (termeqnode terequivP) 


mutual 

emptyTrPtoQImpliesEq : {lu : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

(. PS’: stable P)(tr : TrP {lu} [] (inji P’) P) 

P= P’ 

emptyTrPtoQImpliesEq (terminate x) .(terminate x) pat (empty .x) = refl 
emptyTrPtoQImpliesEq (node x) .(node x) PS’ (tnode empty) = refl 
emptyTrPtoQImpliesEq (node Q) P’ PS’ 

(tnode (intc .[] .(inji P’) ^2)) = -L-elim (stabToNolnternal+ Q PS’ x 1) {-(PS’ x 

emptyTrPtoQImpliesEq-!- : {lu : LUniv}{c : Choice}(F : Process+ 00 {lu} c)(P’: Process 00 {lu} 

(PS’: stable-E P)(tr : TrP+ {lu} [] (inj x P’) P) 

—> node P = P’ 


a 


o 
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emptyTrPtoQlmpliesEq+ P P’ PS’ tr 

= emptyTrPtoQImpliesEq (node P) P’ PS’ (tnode tr) 


--@BEGIN@bisimPPWithEmptyTr 

mutual 

bisimPPWithEmptyTroo : {lu : LUniv}{c : Choice} 

(P P’: Processoo oo {lu} c) 

(PP’ : Bisimwoo P P’) (PS’ : stableoo P’) 

(nonDivP : NonDivergentcx) P) 

(tr : TrPoo {lu} [] 

(injx (nonDivBecomeStableooi c P nonDivP)) P) 

—> Bisimw (nonDivBecomeStableooi c P nonDivP) 

(forcep P’) 

bisimPPWithEmptyTroo P P’ PP’ PS’ nonDivP tr = 

bisimPPWithEmptyTr (forcep P) (forcep P’) 

(forceB PP’) P 5 ” (forceND nonDivP) tr 


bisimPPWithEmptyTr : {lu : LUniv}{c : Choice} 

(P P’: Process oo {lu} c) 

(PP’ : Bisimw P P’) (PS’ : stable P’) 

(nonDivP : NonDivergent P) 

(tr : TrP {lu} [] (inji 

(nonDivBecomeStablei {lu} c P nonDivP)) P) 

—> Bisimw (nonDivBecomeStable! {lu} c P nonDivP) P’ 
bisimPPWithEmptyTr {lu} {c} .(terminate x) (terminate x\) 

PP’ PS’ nonDivP (empty x) = PP’ 
bisimPPWithEmptyTr (node P) (terminate a) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv nondivPI ( inji %)) (tnode tr) = 
nonDivBecomesStableBisimProofoo (PI P x) 
(nondivPI x) a (onlylntChoice terequivP x) 
bisimPPWithEmptyTr (node P) (terminate x) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv x\ (inj 2 y)) (tnode tr) = 
eqterminater (termeqnode terequivP) 
bisimPPWithEmptyTr (terminate P) (node P’) PP’ PS’ nonDivP tr = 

PP’ 


o 


-o 
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bisimPPWithEmptyTr (node P ) (node P’) (eqnode bisimPP’) PS’ 

(nondiv x chemptyornot ) (tnode tr) = 
bisimPPWithEmptyTr+ P P’ bisimPP’ 

PS’ (nondiv x chemptyornot) tr 


bisimPPWithEmptyTr+ : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c ) 

(PP’ : Bisimw+ P P’) (PS’ : stable+ P’) 

(nonDivP : NonDivergent+ P) 

(tr : TrP+ {lu} [] (inji 
(nonDivBecomeStable+x c P nonDivP )) P) 
—» Bisimw (nonDivBecomeStable+x c P nonDivP ) 
(node P’) 

bisimPPWithEmptyTr+ {lu}{c} P P’ PP’ PS’ 

(nondiv nondiv’ (inji ^1)) tr = PP’” 

where 

P'~ : Processoo oo {lu} c 
P’~ = bisimIP’ PP’ x\ 


trP'P'~ : P’ ^+*[ [] ] (forcep (P’~)) 
trP’P’~ = bisimltr PP’ x i 


P'=P’~ : node P’ = forcep P’~ {00} 

P'=P’~ = emptyTrPtoQlmpliesEq+ P’ 

(forcep P’~) PS’ trP'P'~ 

P’~=P’ : forcep P’~ { 00 } = node P’ 

P’~=P’ rewrite P'=P’~ = refl 

P’~stable : stable (forcep P’~) 

P’~stable rewrite P’~=P’ = PS’ 

PP” : Bisimw (nonDivBecomeStablei c 

(forcep (PI P x 1)) (forceND (nondiv’ xi)) ) 
(forcep P’~) 

PP” = bisimPPWithEmptyTr (forcep (PI P x\)) 

(forcep P’ {00}) 

(forceB (bisimlnext PP 7 x i)) 


o- 


o 
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P'~stable (forceND ( nondiv ’xi)) 
(nonDivBecomeStable 2 c 

(forcep (PI P x i)) (forceND (nondiv’ Xi))) 

PP"’ : Bisimw (nonDivBecomeStableooi c 

(PI P x i) (nondiv’ X\)) (node P’) 
PP’” rewrite P’=P’~ = PP” 

bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y )) empty = eqnode PP’ 
bisimPPWithEmptyTr+ P P’ PP’ PS’ 

(nondiv x (inj 2 y)) 

(intc .[] . ( inji 

(node P)) x\ a^) = eqnode PP’ 


--@END 


mutual 

choicesetornotBism : {i : Size}{/?z : LUniv}{c : Choice}(P P’ : Process+ oo { lu } c)(PP’ : E 

(cc’ : ChoiceSet (I P) l±) -> (ChoiceSet (I P ))) 

—> ChoiceSet (I P’) l±l -i (ChoiceSet (I P’)) 

choicesetornotBism {c} P P’ PP’( i nj x ip) = inj! ( bisi m 21 PP’ip) 
choicesetornotBism {c} P P’ PP’ (inj 2 notip) = inj 2 (X ip’ —* notip (bisim 2 lr PP’ ip’)) 


mutual 

nondivLemBisimsoo : {z : Siz e}{lu : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—y Bisimsoo {z} P P’ 

—> NonDivergentcxa {f} P -> NonDivergentcxa {z} P’ 
forceND (nondivLemBisimsoo P P’ PP’ nP) = nondivLemBisims (forcep P) (forcep P’) (force 

nondivLemBisims : {i : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—y Bisims {z} P P’ 

—> NonDivergent {z} P —> NonDivergent {z} P’ 
nondivLemBisims .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 
nondivLemBisims .(node Q) .(node Q’) (eqnode {$} {Q*} QQ’) nP = nondivLemBisims+ Q 


a 


-o 
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nondivLemBisirns+ : { z : Siz e}{lu : LUniv}{c : Choice}(F P’ : Process+ oo { lu } c) 

—* Bisims+ {z} P P’ 

—> NonDivergent+ {z} P —> NonDivergent+ {z} P’ 
nondivLemBisims+ P P’ PP’ (nondiv fp) = 
nondiv (X z — > nondivLemBisimsoo (PI P ( bisi m 21 r PP’ i )) (PI P’ i) (bisimlNextr PP’ i) 
(/(bisim 2 lr PP’ i)) ) (choicesetornotBism P P’ PP’ p) 


mutual 

divLemBisimsoo : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Processcx) oo {lu} c ) 

—>■ Bisimsoo {z} P P’ 

—> DivergentProcesscxi z c P —> DivergentProcesscx) z c P’ 
divLemBisimsoo P P’ PP’ nP .forcediv = divLemBisims (forcep P) (forcep P’) (forceB PP’) (forcediv 

divLemBisims : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c ) 

—> Bisims {z} P P’ 

—> DivergentProcess z c P —> DivergentProcess i c P’ 
divLemBisims .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 

divLemBisims .(node P) .(node P’) (eqnode {.P} {P’} PP’) (div P divP) = div P’ (divLemBisims+ I 


divLemBisims+ : {z : Size}{/?z : LUniv}{c : Choice}(P P ’: Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—> DivergentProcess+ z c P —> DivergentProcess+ i c P’ 
divLemBisims+ P P’ PP’ (div+ int Q) = div+ ( bisi m 21 PP’ int) 
(divLemBisimsoo (PI P int) (PI P’ (bisim 2 l PP’ int)) (bisimlNext PP’ int) Q) 


mutual 

nondivLemBisimsoor : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—> Bisimsoo {z} P P’ 

—> NonDivergentoo {z} P’ —> NonDivergentoo {z} P 
forceND (nondivLemBisimsoor P P’ PP’ nP) = nondivLemBisimsr (forcep P) (forcep P’) (forceB PI 

nondivLemBisimsr : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—» Bisims {z} P P’ 

—> NonDivergent {z} P’ —>• NonDivergent {z} P 


a 
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nondivLemBisimsr .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 
nondivLemBisimsr .(node Q ) .(node Q’) (eqnode {< 5 } {Q’} QQ ’) nP = nondivLemBisims+r i 


nondivLemBisims+r : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 

—* Bisims+ {z} P P’ 

—> NonDivergent+ {z} P’ — * NonDivergent+ {z} P 
nondivLemBisims+r P P’ PP’ (nondiv f p) = 

nondiv (X z —» nondivLemBisimsoor (PI P i ) ((PI (bisim 2 l PP’ z))) (bisimlNext PP 
(/ (bisim 2 l PP’ i ))) (swapChoiceSetssr P P’ PP’ p) 


mutual 

divLemBisimsoor : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Processcxi oo {lu} c ) 

—> Bisimsoo {z} P P’ 

—> DivergentProcessoo z c P’ —> DivergentProcessoo i c P 
divLemBisimsoor {z} P P ; PP’ nP .forcediv = divLemBisimsr (forcep P) (forcep P J ) (forceB j 

divLemBisimsr : {z : Size}{/zz : LUniv}{c : Choice}(P P’: Process oo {lu} c ) 

—> Bisims {z} P P’ 

—> DivergentProcess i c P’ DivergentProcess z c P 

divLemBisimsr .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 

divLemBisimsr .(node P’) .(node P) (eqnode {P’} {.P} PP’) (div P divP ) = div P’ (divLemE 


divLemBisims+r : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c ) 

—» Bisims+ {z} P P’ 

—> DivergentProcess+ z c P ; —> DivergentProcess+ z c P 
divLemBisims+r P P’ PP’ (div+ znt Q) = div+ ((bisim 2 lr PP’ int)) 

((divLemBisimsoor (PI P (( bisi m 21 r PP’ int ))) (PI P ’ in t) ((b 


mutual 

stabLemBisimsoo : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—> Bisimsoo P P’ 

—> stableoo P’ —» stableoo P 

stabLemBisimsoo P P’ PP’ PS’ = stabLemBisims (forcep P) (forcep P’) (forceB PP’) PS’ 
stabLemBisims : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 


<y 


-o 
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—>■ Bisims P P’ 

—> stable P’ —> stable P 

stabLemBisims .(terminate a) .(terminate a) (eqterminate {a}) PS’ = PS’ 

stabLemBisims .(node P) .(node P’) (eqnode {P} {P’} PP’) PS ’ = stabLemBisims+ P P’ PP’ PS’ 


stabLemBisims+ : {i : Size}{/n : LUniv}{c : Choice}(P P’: Process+ oo { lu } c) 

—» Bisims+ {*} P P’ 

—» stable+ P’ —> stable+ P 

stabLemBisims+ P P’ PP’ (Pnol ,, PNoTick ) = (X int —> Pnol (bisim 2 l PP’ int )) ,, (X t —> PNoTic , 


mutual 

divergentlmpliesNotTermEquiv+ : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c ) 

(a : ChoiceSet c) 

(terP : TerminateEquivalent+ a P ) 

(divP : DivergentProcess+ oo {lu} c P ) 

->■ A 

divergentlmpliesNotTermEquiv+ c P a terequivP (div+ int divP ) = 

divergentlmpliesNotTermEquivoo c (PI P int ) a (onlylntChoice terequivP int ) divP 

divergentlmpliesNotTermEquivoo : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(a : ChoiceSet c) 

( terP : TerminateEquivalentoo a P) 

( divP : DivergentProcessoo oo {lu} c P ) 

->• A 

divergentlmpliesNotTermEquivoo c P a terP divP = divergentlmpliesNotTermEquiv c (forcep P) a ter 


divergentlmpliesNotTermEquiv : {lu : LUniv}(c : Choice) 

( P : Process oo {lu} c ) 

(a : ChoiceSet c) 

(terP : TerminateEquivalent a P) 

(divP : DivergentProcess oo {lu} c P ) 

->• A 

divergentlmpliesNotTermEquiv c .(node P) a (termeqnode terequivP ) (div P divP ) = 

divergentlmpliesNotTermEquiv+ c P a terequivP dh 


o- 


o 




376 


A.9. bisimilarityProofsWithSchneiderStable3.agda 

o-o 


mutual 

bisimlmpliesDivergentPreservoo : {lu : LUniv}(c : Choice) (P P’ : Processoo oo { lu } c) 
(PP’ : Bisimwoo {00} P P’) 

(divP : DivergentProcessoo 00 {lu} c P) 

— DivergentProcessoo 00 {lu} c P’ 
forcediv (bisimlmpliesDivergentPreservoo c P P’ PP’ divP) = 

bisimlmpliesDivergentPreserv c (forcep P) (forcep P’) (forceB PP’) 

(forcediv divP) 


bisimlmpliesDivergentPreserv+ : {lu : LUniv}(c : Choice) (P P’ : Process+ 00 {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

( divP : DivergentProcess+ 00 {lu} c P) 

—> DivergentProcess+ 00 {lu} c P’ 
bisimlmpliesDivergentPreserv+ c P P’ PP’ divP = bisimdiv PP’ divP 

--@BEGIN@bisimImpliesDivergentPreserv 

bisimlmpliesDivergentPreserv : {lu : LUniv}(c : Choice) 

( P P’ : Process 00 {lu} c) 

( PP’: Bisimw {00} P P’) 

( divP : DivergentProcess 00 {lu} c P) 

—> DivergentProcess 00 {lu} c P’ 
bisimlmpliesDivergentPreserv c .(terminate _) P’ (eqterminate x) () 
bisimlmpliesDivergentPreserv c .(node P) .(terminate a) (eqterminater {a} 

{.(node P)} (termeqnode terequivP)) (div P divP) 

= _L-elim (divergentlmpliesNotTermEquiv+ c P a terequivP divP) 
bisimlmpliesDivergentPreserv c .(node P) .(node P’) (eqnode {.P} {P’} PP’) 

(div P divP) 

= div P’ (bisimlmpliesDivergentPreserv+ c P P’ PP’ divP) 


--(SEND 


mutual 

bisimStablelmpliesNotDivergentoo’ : {lu : LUniv}(c : Choice) (P P ’: Processoo 00 {lu} 

(PP’: Bisimwoo P P’) 

(PS ’: stableoo P’) 


o 
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—> NonDivergentoo P 
forceND (bisimStablelmpliesNotDivergentcx)' c P P’ PP’ PS’) = 

bisimStablelmpliesNotDivergent' c (forcep P) 
(forcep P’) (forceB PP’) PS’ 


bisimStablelmpliesNotDivergent’ : {lu : LUniv}(c : Choice) (P P’: Process oo { lu } c) 

(PP’: Bisimw P P’) 

(PS’ : stable P’) 

—*■ NonDivergent P 

bisimStablelmpliesNotDivergent’ c (terminate x) P’ PP’ PS’ = tt 
bisimStablelmpliesNotDivergent' c (node P) .(terminate a) 

(eqterminater {a} terequiv ) PS’ = 
TerlmpliesNotDivergentaux c (node P) a terequiv 
bisimStablelmpliesNotDivergent’ c (node P) .(node P’) 

(eqnode {.P} {P’} PP’) PS’ = 
bisimStablelmpliesNotDivergent+’ c P P’ PP’ PS’ 

bisimStablelmpliesNotDivergent+' : {lu : LUniv}(c : Choice) (P P’: Process+ oo {lu} c) 

(PP’ : Bisimw+ P P’) (PS’ : stable+ P’) 

—> NonDivergent+ P 

bisimStablelmpliesNotDivergent+' c P P’ PP’ PS’ = 

nondiv+r PP’ (nondiv (X i — > _L-elim (stabToNolnternal+ P’ PS’ i)) (inj 2 (stab 


lemBisimDRefusalAux : {lu : LUniv}(c : Choice) 

(x : ChoiceSet c) 

(P : Process+ oo {lu} c) 

(hasTauorTickNoTau : ChoiceSet (I P) l±) (-> (ChoiceSet (I P)) x ChoiceSet 
(PS : ChoiceSet (I P) — >■ A) 

—> ChoiceSet (T P) 

lemBisimDRefusalAux c x P ( inj ± x\) PS = A-elim (PS £1) 
lemBisimDRefusalAux c x P (inj 2 (_ ,, ^i)) PS = X\ 


mutual 

bisimDRefusal+ : {lu : LUniv}{c : Choice} (P : ProcessA oo {lu} c) (P’: ProcessA oo {lu} c) 

(PS : stableA P) 

(PP ’: BisimwA {00} P P’) 


a 
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(X : Label lu — » Bool) 

(isRoscoe : Bool) 

(ref : DRefusal+ P isRoscoe X ) 

—» DRefusal+ P’ isRoscoe X 

bisimDRefusal+ {c} P P’ PS PP’ X isRoscoe (drefusal noextChlnX no Term ) = 
drefusal (bisimDRefusal+NoExtChlnX P P’ PS PP’ X noextChlnX) 

(bisimDRefusalNoTicksIflsRoscoe P P’ PS PP’ isRoscoe noTerm ) 


bisimDRefusalNoTicksIflsRoscoe : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c ) 

(P’ : Process+ oo {lu} c ) 

(PS : stable+ P) 

(PP’ : Bisimw+ { 00 } P P’) 

(isRoscoe : Bool) 

(ref: NoTicksIflsRoscoe P isRoscoe) 

—> NoTicksIflsRoscoe P’ isRoscoe 

bisimDRefusalNoTicksIflsRoscoe {lu} {c} P P’ PS PP’ isRoscoe ref ticklslncl x = 

ref ticklslncl (lem c P (PT P’ x] 

where 

path : TrP+ {lu} [] (inj 2 (PT P’ x)) P 
path = bisimTtrr PP’ x 


lem : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c)(x : ChoiceSet c) 

(tr : TrP+ {lu} [] (inj 2 x) P ) 

(PS : stable+ P) —> ChoiceSet (T P) 
lem c P x (intc .[] . ( inj 2 x) x’ X2) PS = _L-elim (stabToNolnternal+ P PS x’) 
lem c P .(PT P x\) (terc x x ) PS = x\ 


bisimDRefusal+NoExtChlnX : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c ) 

(P’ : Process+ 00 {lu} c) 

(PS : stable+ P) 

(PP’ : Bisimw+ { 00 } P P’) 

(X : Label lu — » Bool) 

(ref: NoExtChlnX P X) 

NoExtChlnX P’ X 

bisimDRefusal+NoExtChlnX {lu}{c} P P’ PS PP’ X ref e x = Iem 2 c P Q (Lab P’ e) 
where 

Q : Process 00 {lu} c 


a 
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Q = forcep (PP’ .bisimEP'r e) 

tr : TrP+ { lu } (Lab P’ e :: []) (injx Q) P 
tr = PP’ .bisimEtrr e 

Iem 2 : {lu : LUniv}(c : Choice)(P : Process+ oo { lu } c)(Q : Process oo {lu} c ) 

(l : Label lu)(tr : TrP+ {lu} (l :: []) (injx Q ) P ) 

(PS : stable+ P)(X : Label lu —> Bool )(re/: NoExtChlnX P X)(labX : True (X l)) —> A 
Iem 2 c P Q .(Lab P x) (extc .[] . ( inj x Q) x xQ PS X ref labX = ref x labX 
Iem 2 c P Q l (intc .(l :: []) .(inji Q ) x x\) PS X ref labX = stabToNolnternal+ P PS x 


bisimDRefusal : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c ) (P’ : Process oo {lu} c ) 

(PS : stable P) 

(PP’ : Bisimw {00} P P’) 

(X : Label lu —> Bool) 

(isRoscoe : Bool) 

(ref : DRefusal P isRoscoe X) 

—> DRefusal P’ isRoscoe X 

bisimDRefusal (terminate x) (terminate x\) PS PP’ X isRoscoe ref ticklncl = ref ticklncl 
bisimDRefusal (terminate x) (node Q) PS (eqterminate (termeqnode terequivP )) X isRoscoe ref - 

drefusal (X e —> _L-elim (noExtChoice terequivP e))(A t —>■ _L-elim (rej 
bisimDRefusal {lu}{c} (node P) (terminate x) PS 

(eqterminater (termeqnode terequivP )) X isRoscoe (drefusal noextChlnX noTerm ) ticklnc 
= noTerm ticklnc (lemBisimDRefusalAux c x P (hasTauOrTickNoTau terequivP) (stabToNoInt 
bisimDRefusal (node P) (node P ’) PS (eqnode bisimQQ’) X isRoscoe ref = 

bisimDRefusal+ P P’ PS bisimQQ’ X it 


mutual 

lemmaxxxi : {lu : LUniv}{c : Choice} — >■ (result : Process 00 {lu} c l±) ChoiceSet c) 

—> (Q : Process 00 {lu} c ) 

—> (divQ : DivergentProcess 00 {lu} c Q) 

—> BisimForNextP result (inj ± Q) 

—>• Process 00 {lu} c 

lemmaxxxi (inji Q’) Q divQ BisimResultQ = Q’ 

lemmaxxxi (inj2 y) Q divQ BisimResultQ = _L-elim (lemmaDivNotTermequiv Q divQ y BisimResu 1 

lemmaxxx 2 : {lu : LUniv}{c : Choice} —* ( result : Process 00 {lu} c l±l ChoiceSet c) 

—> (l : List (Label lu))(P : Process 00 {lu} c)(Q : Process 00 {lu} c ) 


a 


o 
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—>■ (divQ : DivergentProcess oo {lu} c Q) 

—> (bisimForNext : BisimForNextP result (inji Q )) 

—>■ (trp : TrP {lu} l result P) 

—> TrP {lu} l (inji (lemmaxxxi result Q divQ bisimForNext)) P 
Iemmaxxx2 (inji x) l P Q divQ bisimForNext trp = trp 

[emmaxxx 2 (inj 2 y) l P Q divQ bisimForNext trp = _L-elim (lemmaDivNotTermequiv Q div 


lemmaxxx 2 + : {lu : LUniv}{c : Choice} —» ( result : Process oo {lu} c l±J ChoiceSet c) 

—> ( l: List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—> (divQ : DivergentProcess oo {lu} c Q) 

—>■ (bisimForNext : BisimForNextP result (inji Q)) 

—> ( trp+ : TrP+ {lu} l result P) 

—> TrP+ {lu} l (inji (lemmaxxxi result Q divQ bisimForNext)) P 
[emmaxxx 2 + (inji x) l P Q divQ bisimForNext trpp = trp-h 

[emmaxxx 2 + (inj 2 y) l P Q divQ bisimForNext trp+ = _L-elim (lemmaDivNotTermequiv Q 

lemmaxxx 3 : {lu : LUniv}{c : Choice} —> ( result : Process oo {lu} c l±l ChoiceSet c 

—> ( l : List (Label lu))(Q : Process oo {lu} c) 

—> (divQ : DivergentProcess oo {lu} c Q) 

—> (bisimForNext : BisimForNextP result (inji Q)) 

—> Bisimw (lemmaxxxi result Q divQ bisimForNext) Q 
lemmaxxx 3 (inji Q’) l Q divQ bisimForNext = bisimForNext 

lemmaxxx 3 (inj 2 y) l Q divQ bisimForNext = _L-elim (lemmaDivNotTermequiv Q divQ y bi 


mutual 

lemmayyyi : {lu : LUniv}{c : Choice} —>• ( result : Process oo {lu} c l±J ChoiceSet c) 

— > (Q : Process oo {lu} c) 

—> (stab : stable Q) 

—>■ (A : Label lu —> Bool) 

—>■ DRefusal {lu}{c} Q true X 
—> BisimForNextP result (inji Q) 

—> Process oo {lu} c 

lemmayyyi (inji Q’) Q stab X x x\ = Q’ 
lemmayyyi (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


o 


-o 
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lemmayyyi+ : {lu : LUniv}{c : Choice} — > (result : Process oo { lu } c l±l ChoiceSet c) 

—> (Q : Process oo {lu} c) 

—>• (stab : stable Q) 

— y (X : Label lu — > Bool) 

— y DRefusal {£u}{c} Q true X 
—> BisimForNextP result (inji Q ) 

—> Process oo {lu} c 

lemmayyy 1 + (inji Q : ) Q stab X x Xi = Q’ 

lemmayyy 1 + (inj 2 y ) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ ) 

lemmayyyo : {lu : LUniv}{c : Choice} — y ( result : Process oo {lu} c l±l ChoiceSet c) 

—)■ (l : List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c ) 

—>• ( stab : stable Q ) 

— y (A : Label lu — y Bool) 

—> (dref\ DRefusal {/?/}{r:} 0 true X) 

—>• (bisim : BisimForNextP result (inji Q)) 

—> TrP {lu} l result P 

— y TrP {lu} l (injx (lemmayyy! result Q stab X dref bisim)) P 

lemmayyy 2 (inji Q ') / P Q stab X dref bisim tr = tr 
lemmayyy 2 (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 2 + : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±l ChoiceSet c) 

—> (l : List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—y (stabp : stable Q) 

—y (X : Label lu —> Bool) 

—y (dref: DRefusal {lu}{c} Q true X) 

—y (bisim : BisimForNextP result (inji Q)) 

—y TrP+ {lu} l result P 

—> TrP+ {lu} l (inji (lemmayyyi result Q stab+ X dref bisim)) P 
lemmayyy 2 + (inji Q’) l P Q stab X dref bisim tr = tr 
lemmayyy 2 + (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 3 : {lu : LUniv}{c : Choice} —> (result : Process oo {lu} c l±l ChoiceSet c) 

—)• (Q : Process oo {lu} c) 

—> (stab : stable Q) 


a 


-o 
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—» ( X : Label lu —» Bool) 

—* (dref : DRefusal {/n}{c} Q true A) 

—>• (bisim : BisimForNextP result (injx Q )) 

—>■ Bisimw (lemmayyyx result Q stab X dref bisim) Q 
Iemmayyy3 (inji Q’) Q stab X dref bisim = bisim 

Iemmayyy3 (inj2 y ) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ ) 


lemEqList : {A : Set}(/ : List A) —> l ++ [] = l 
lemEqList [] = refl 

lemEqList ( x :: l ) = cong (X V —> x :: V) (lemEqList l ) 

stableNotTerminateEquivaux : {lu : LUniv}{c : Choice} ( P : Process+ oo {lu} c ) 

(x : ChoiceSet c) 

{hasTauOrTickNoTau : ChoiceSet (I P) l±) 

(-1 (ChoiceSet (I P)) x ChoiceSet (T P ))) 

( stab : stable+ P) 

( notick : noTicklfRoscoe+ true P) 

-► JL 

stableNotTerminateEquivaux P x (injx int) ( stabsch ,, xf) notick = stabsch int 
stableNotTerminateEquivaux Pa;(inj2 (noint „ tick)) stab notick = notick tick 

stableNotTerminateEquiv : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(x : ChoiceSet c) 

( terequiv : TerminateEquivalent x P) 

( stab : stable P) 

-► _L 

stableNotTerminateEquiv (terminate x) x\ terequiv stab = stab _ 
stableNotTerminateEquiv (node P) x (termeqnode terequivP) ( stabSch „ notick) 

= stableNotTerminateEquivaux P x (hasTauOrTickNoTau terequivP) (stabSch ,, notick) no 

noIntNoTerlmpliesNoTermTrace : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c) 

(x : ChoiceSet c) 

(tr : TrP+ [] (inj 2 x) P) 

( noint : -i (ChoiceSet (I P))) 

(noTer : -> (ChoiceSet (T P))) 


o 


-o 
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-► A 

noIntNoTerlmpliesNoTermTrace P x (intc .[] . (inj 2 x) int a^) nolnt noTer = nolnt int 
noIntNoTerlmpliesNoTermTrace P .(PT P ter’) (terc ter’) nolnt noTer = noTer ter’ 

mutual 

bisimwStableToNoTick : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 

( P’: Process oo {lu} c) 

(PP ’: Bisimw {00} P P’) 

( stabP’ : stable P’) 

( stabP : stable P) 

—> noTicklfRoscoe true P 

bisimwStableToNoTick (terminate x) P’ (eqterminate terequiv) stabP’ stabP = 

stableNotTerminateEquiv P’ x terequiv s 
bisimwStableToNoTick (terminate x) .(terminate _) (eqterminater terequiv) stabP’ stabP = stabP’ _ 
bisimwStableToNoTick (node P) (terminate x) PP’ stabP’ stabP t = stabP’ _ 
bisimwStableToNoTick (node P) (node P’) (eqnode PP’) (noint ,, noterP’) noterP ter’ 

= noIntNoTerlmpliesNoTermTrace P’ (PT P ter’) (bisimTtr PP’ ter’) noint noterP’ 


A. 10 bisimilarityProofsWithSchneiderStable3Part2.agda 


--@PREFIX@bisimilarityProofsWithSchneiderStablethreeParttwo 
module bisimilarityProofsWithSchneiderStable 3 Part 2 where 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 


o 





384 


A. 10. bisimilarityProofsWithSchneiderStable3Part2.agda 

o-o 


open import fdi 
open import fdiRefusal 
open import bisimilarity 
open import bisimSym 

open import Data.Bool renaming (T to True) 

open import bisimForNextProcess 

open import tracelmpliesTraceP 

open import bisimlmpliesBisim 

open import fdi 

open import auxData 

open import bisimilarityProofsWithSchneiderStable 3 
open import bisimSym 

open import bisimilarityProofsWithSchneiderStable 
mutual 

schStabNoTraceTolnj 2 + : { lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 

( stabSchP : stableSch+ P ) 

(a : ChoiceSet c) 

( tr : TrP+ [] (inj 2 a) P) 

( notick : -i (ChoiceSet (T P))) 

-)■ _L 

schStabNoTraceTolnj 2 + P stabSchP a (intc .[] .( inj 2 a) tauP tr) = _L-elim ( stabSchP tauP ) 
schStabNoTraceTolnj 2 + P stabSchP .(PT P x ) (terc x) y = y x 

mutual 

--\bisimilarityProofsWithSchneiderStablethreeParttwo 
--@BEGIN@PartOne 

stabSchBisim 2 stabRosclsStabRosc : {lu : LUniv}{c : Choice} 

(P P’ : Process oo {lu} c) 

{PP’: Bisimw P P’) 

( stabP’: stable P’) 

( stabSchP : stableSch P) 

—> stable P 

stabSchBisim 2 stabRosclsStabRosc 
(terminate x) (terminate x\) 

(eqterminate terequiv ) stabP’ stabSchP = stabP 7 
stabSchBisim 2 stabRosclsStabRosc 
(terminate x) (node P’) 

(eqterminate (termeqnode terequivP’)) 


o- 


-o 
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( P’stabSch ,, notickP’) stabSchP _ 

= tauOrTickNoTauP'ImpliesConclusion tauOrTickNoTauP' where 
tauOrTickNoTauP' : ChoiceSet (I P’) l±l (-> (ChoiceSet (I P’)) 

x ChoiceSet (T P’)) 

tauOrTickNoTauP’ = hasTauOrTickNoTau terequivP’ 

tauOrTickNoTauP’ImpliesConclusion : ChoiceSet (I P’) 

l±l (-1 (ChoiceSet (I P’)) 

x ChoiceSet (T P’)) JL 

tauOrTickNoTauP'ImpliesConclusion (inji tauChoiceP’) 

= P’stabSch tauChoiceP’ 

tauOrTickNoTauP'ImpliesConclusion (injo (_ ,, tickChoiceP’)) 

= notickP’ tickChoiceP’ 


stabSchBisim2stabRosclsStabRosc 
(terminate x) .(terminate _) (eqterminater terequiv ) 
stabP’ stabSchP 
= stabP’ 

stabSchBisim2stabRosclsStabRosc 
(node P) (terminate x) PP’ stabP’ stabSchP 
= _L-elim (stabP’ ) 
stabSchBisim2stabRosclsStabRosc 
(node P ) (node P’) (eqnode bisimQQ ’) (stabSchP ’ ,, noTickP’) 
stabSchP 

= stabSchP ,, noTickP 
where 

traceToTickP : (t : ChoiceSet (T P)) —> TrP + [] (inj 2 (PT P t)) P’ 
traceToTickP = bisimTtr bisimQQ’ 

noTickP : -i (ChoiceSet (T P)) 

noTickP t = schStabNoTraceTolnj2+ P’ stabSchP’ (PT P t ) 
(traceToTickP t) noTickP’ 


--(SEND 


stabSchBisim2stabRosclsStabRosc+ : {lu : LUniv}{c : Choice}(P P ’: Process-)- oo { lu } c) 

(PP’ : Bisimw+ P P’) 

(stabP ’: stable+ P ’) 

(stabSchP : stableSch+ P) 


a 
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—> stable+ P 

stabSchBisim2stabRosclsStabRosc+ P P’ PP’ (stabSchp ’ ,, noTickP’) stabSchP = stabSchP 
where 

traceToTickP : (t : ChoiceSet (T P)) — > TrP+ [] (inj 2 (PT P t )) P’ 
traceToTickP = bisimTtr PP’ 

noTickP : -i (ChoiceSet (T P)) 

noTickP t = schStabNoTraceTolnj2+ P’ stabSchp’ (PT P t) (traceToTickP t) noTickP’ 


stabSchBisim2stabRosclsStabRoscoo : {lu : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c ) 

(PP’: Bisimwoo P P’) 

(stabP ’: stableoo P’) 

(stabSchP : stableSchoo P) 

—> stableoo P 

stabSchBisim2stabRosclsStabRoscoo P P’ PP’ stabP’ stabSchP = stabSchBisim2stabRosclsS 

(forcep P) (forcep P’) (I 


mutual 


lemmaDrefusalStableNotTermequiv’ : {lu : LUniv}{c : Choice}(Q : Process oo {lu} c ) 

(stab : stable Q ) 

(y : ChoiceSet c) 

(termequivQ : TerminateEquivalent y Q ) 


->• _L 

lemmaDrefusalStableNotTermequiv’ (terminate x ) stab y terrnequiv = _L-elim ( stab tt) 
lemmaDrefusalStableNotTermequiv’ (node Q ) 

stab y (termeqnode terequivP ) = hasTauOrTickGivesBot hasTauOt 

where 

hasTauOrTickNoTau' : ChoiceSet (I Q ) l±) 

-i (ChoiceSet (I Q)) x ChoiceSet (T Q ) 
hasTauOrTickNoTau’ = hasTauOrTickNoTau terequivP 


hasTauOrTickGivesBot : ChoiceSet (I Q) l±l (ChoiceSet (I Q )) x ChoiceSet (T Q) —> J 
hasTauOrTickGivesBot (injx x ) = stabToNolnternal+ Q stab x 
hasTauOrTickGivesBot (inj 2 ( noti ,, t )) = (proj 2 ’ stab) t 


o 


-o 
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mutual 

lemmayyyi’ : {lu : LUniv}{c : Choice} — >■ ( result : Process oo { lu } c l±) ChoiceSet c) 

—> (Q : Process oo {lu} c) 

—> (stab : stable Q ) 

—> BisimForNextP result (inji Q) 

—> Process oo {lu} c 
lemmayyyi’ (inji Q’) Q stab x\ = Q’ 
lemmayyyi’ (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv' Q stab y termequivQ) 

{- lemmayyyioo’ : {lu : LUnivMc : Choice}- (result : Process oo {lu} c l±) Choi 


lemmayyyi + ’ : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±l ChoiceSet c) 

—» (Q : Process oo {lu} c ) 

—» (stab : stable Q ) 

—> BisimForNextP result (inj^ Q ) 

—* Process oo {lu} c 

lemmayyyi + ' (inji Q’) Q stab x\ = Q’ 
lemmayyyi + ' (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


lemmayyy 2 ’ : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±J ChoiceSet c) 

—> ( l: List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c) 

—> (stab : stable Q) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP {lu} l result P 

—> TrP {lu} l (inji (lemmayyyi' result Q stab bisim)) P 

lemmayyy 2 ’ (inji Q ) l P Q stab bisim tr = tr 
lemmayyy 2 ’ (inj 2 y) l P Q stab termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


lemmayyy 2 +' : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±l ChoiceSet c) 

— > ( l: List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—> ( stab+ : stable Q) 

—> (bisim : BisimForNextP result (inji Q)) 


a 


o 
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— y TrP+ {lu} l result P 

—>■ TrP+ {lu} l (injx (lemmayyyx’ result Q stab+ bisim)) P 
lemmayyy 2 +' (injx Q’) l P Q stab bisim tr = tr 
lemmayyy 2 +' (inj 2 y) l P Q stab termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


lemmayyy 3 ’ : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±J ChoiceSet c) 

—¥ (Q \ Process oo {lu} c) 

—>■ ( stab : stable Q ) 

—>■ (bisim : BisimForNextP result (inji Q )) 

—>■ Bisimw (lemmayyyi’ result Q stab bisim) Q 
lemmayyy 3 ’ (injx Q’) Q stab bisim = bisim 

lemmayyy 3 ’ (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 

--\bisimilarityProofsWithSchneiderStablethreeParttwo 

--@BEGIN@PartTwo 

module _ {lu : LUniv}{c : Choice}(P P’ : Processoo oo c) 

(PP’: Bisimwoo { 00 } P P’)(l : List (Label lu)) 

( Q ’: Process 00 {lu} c) 

(tr’ : TrPoo l (injx Q ’) P’) 

(stab’ : stable Q’) where 

bisimTraceTrPooQcom : Process 00 c l±l ChoiceSet c 
bisimTraceTrPooQcom = bisimTraceTrPooi P P’ PP’ l (injx Q’) tr’ 


bisimTraceTrPootrcom 


bisimTraceTrPootrcom 


TrPoo {lu} l (bisimTraceTrPooi P P’ PP’ l 
(injx Q’) tr’) P 

= bisimTraceTrPoo 2 P P’ PP’ l (injx Q’) tr’ 


bisimTraceTrPooQQ’com : BisimForNextP (bisimTraceTrPooi P P’ PP’ l 

(injx Q’) tr’) (injx Q’) 

bisimTraceTrPooQQ’com = bisimTraceTrPoo 3 P P’ PP’ l (injx Q’) tr’ 


bisimTraceTrPooQ : Process 00 {lu} c 


O 


O 
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bisimTraceTrPooQ = lemmayyyi’ bisimTraceTrPooQcom Q’ stab’ 

bisimTraceTrPcx)QQ’com 


bisimTraceTrPootr : TrPoo { lu } l (inji bisimTraceTrPooQ) P 
bisimTraceTrPootr = lemmayyy 2 ’ (bisimTraceTrPooQcom) l (forcep P) 

Q’ stab’ bisimTraceTrPooQQ’com 
bisimTraceTrPootrcom 


bisimTraceTrPooQQ’ : Bisimw bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ’ = lemmayyy 3 ’ 

bisimTraceTrPooQcom Q’ stab’ 
bisimTraceTrPooQQ’com 


bisimTraceTrPooQhat : Process oo {lu} c 

bisimTraceTrPooQhat = nonDivBecomeStablei c bisimTraceTrPooQ 

( bisimStablelmpiiesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


bisimTraceTrPootrhat : TrP {lu} [] (inji bisimTraceTrPooQhat) 

bisimTraceTrPooQ 

bisimTraceTrPootrhat = nonDivBecomeStable 2 c 

bisimTraceTrPooQ 
( bisimStablelmpliesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ’ stab’ 
(stablelmpliesNonDiv Q’stab’)) 


o- 


bisimTraceTrPooQhatQ’ : Bisimw bisimTraceTrPooQhat Q’ 
bisimTraceTrPooQhatQ’ = bisimPPWithEmptyTr bisimTraceTrPooQ Q’ 


-o 
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bisimTraceTrPooQQ' stab’ 

( bisimStablelmpliesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 
bisimTraceTrPootrhat 


bisimTraceTrPoostabSchQhat : stableSch bisimTraceTrPooQhat 
bisimTraceTrPoostabSchQhat = nonDivBecomeStable 3 c bisimTraceTrPooQ 

( bisimStablelmpliesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


bisimTraceTrPoostabQhat : stable bisimTraceTrPooQhat 
bisimTraceTrPoostabQhat = stabSchBisim2stabRosclsStabRosc 

bisimTraceTrPooQhat 

Q’ bisimTraceTrPooQhatQ' stab’ 

bisimTraceTrPoostabSchQhat 


bisimTraceTrPootrhat! TrPoo {lu} (l ++ []) 

(injx bisimTraceTrPooQhat) P 

bisimTraceTrPootrhat! = trPAppendTrwoo c P bisimTraceTrPooQ l [] 

(inji bisimTraceTrPooQhat) 
bisimTraceTrPootr bisimTraceTrPootrhat 


bisimTraceTrPootrhat 2 TrPoo {lu} l (inji bisimTraceTrPooQhat) P 
bisimTraceTrPootrhat 2 = subst (A l’ —> TrPoo {lu} l’ 

(inji bisimTraceTrPooQhat) 

p) 

eql bisimTraceTrPootrhat! where 


eql: ( / H—I- [] ) = / 

eql = lemEqList l 


--@END 


o 


-o 
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A. 11 bisimilarityProofs WithSchneider Stable3Part2Theoren 


--@PREFIX@bisimilarityProofsWithSchneiderStablethreeParttwoTheo 
module bisimilarityProofsWithSchneiderStable3Part2TheoremOnly where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport fdi 

mport fdiRefusal 

mport bisimilarity 

mport bisimSym 

mport Data.Bool renaming (T to True) 

mport bisimForNextProcess 

mport tracelmpliesTraceP 

mport bisimlmpliesBisim 

mport fdi 

mport auxData 

mport bisimilarityProofsWithSchneiderStable3 
mport bisimSym 

mport bisimilarityProofsWithSchneiderStable 


mutual 

schStabNoTraceTolnj2+ : {lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 

(stabSchP : stableSch+ P ) 

(a : ChoiceSet c) 

(tr : TrP+ [] (inj 2 a) P ) 

( notick : -> (ChoiceSet (T P))) 

_L 

schStabNoTraceTolnj2+ P stabSchP a (intc .[] .( inj 2 a) tauP tr) = _L-elim (stabSchP tauP ) 


a 


-o 
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schStabl\loTraceTolnj2+ P stabSchP .(PT P x ) (terc x) y = y x 
mutual 

--\bisimilarityProofsWithSchneiderStablethreeParttwo 
--@BEGIN@PartOne 

stabSchBisim2stabRosclsStabRosc : {lu : LUniv}{c : Choice}(P P’ : Process oo { lu } c) 

(PP’: Bisimw P P’) 

( stabP’ : stable P’) 

(stabSchP : stableSch P) 

—>• stable P 

stabSchBisim2stabRosclsStabRosc (terminate x) (terminate xi) (eqterminate terequiv ) stabP’ 
stabSchBisim2stabRosclsStabRosc (terminate x) (node P’) (eqterminate (termeqnode terequh 
(P’stabSch „ notickP’) stabSchP _ = tauOrTickNoTauP'ImpliesConclusion tauOr 
tauOrTickNoTauP’ : ChoiceSet (I P’) l±l (-> (ChoiceSet (I P’)) x ChoiceSet (T P’)) 
tauOrTickNoTauP’ = hasTauOrTickNoTau terequivP’ 

tauOrTickNoTauP’ImpliesConclusion : ChoiceSet (I P’) l±l (-> (ChoiceSet (I P’)) x ChoiceS< 
tauOrTickNoTauP'ImpliesConclusion (inji tauChoiceP’) = P’stabSch tauChoiceP’ 
tauOrTickNoTauP’ImpliesConclusion (inj 2 (_ „ tickChoiceP’)) = notickP’ tickChoiceP’ 


stabSchBisim2stabRosclsStabRosc (terminate x) .(terminate _) (eqterminater terequiv) stabP 
stabSchBisim2stabRosclsStabRosc (node P) (terminate x) PP’ stabP’ stabSchP = _L-elim (st 
stabSchBisim2stabRosclsStabRosc (node P) (node P ’) (eqnode bisimQQ ’) [stabSchP ’ ,, noT\ 
where 

traceToTickP : (t : ChoiceSet (T P)) —> TrP+ [] (inj 2 (PT P t)) P’ 
traceToTickP = bisimTtr bisimQQ’ 

noTickP : -i (ChoiceSet (T P)) 

noTickP t = schStabNoTraceTolnj2+ P’ stabSchP’ (PT P t) (traceToTickP t) noTickP’ 


--(SEND 


stabSchBisim2stabRosclsStabRosc+ : {lu : LUniv}{c : Choice}(P P’ : Process-)- oo { lu } c) 

(PP’: Bisimw+ P P’) 

(stabP’ : stable-)- P ’) 

(stabSchP : stableSch+ P) 
stable-|- P 


o 


-o 
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stabSchBisim2stabRosclsStabRosc+ P P’ PP’ (stabSchp ’ ,, noTickP’) stabSchP = stabSchP ,, noTid 
where 

traceToTickP : (t : ChoiceSet (T P)) —y TrP+ [] (inj 2 (PT P t)) P’ 
traceToTickP = bisimTtr PP’ 

noTickP : -> (ChoiceSet (T P)) 

noTickP t = schStabNoTraceTolnj2+ P’ stabSchp’ (PT P t) (traceToTickP t) noTickP’ 


stabSchBisim2stabRosclsStabRoscoo : {lu : LUniv}{c : Choice}(F P ’: Processoo oo { lu } c) 

(PP’ : Bisimwoo P P’) 

(stabP ’: stableoo P’) 

(stabSchP : stableSchoo P) 

—> stableoo P 

stabSchBisim2stabRosclsStabRoscoo P P’ PP’ stabP’ stabSchP = stabSchBisim2stabRosclsStabRosc 

(forcep P) (forcep P’) (forceB 


mutual 


lemmaDrefusalStableNotTermequiv’ : {lu : LUniv}{c : Choice}(Q : Process oo {lu} c ) 

(stab : stable Q ) 

(y : ChoiceSet c) 

(termequivQ : TerminateEquivalent y Q) 


_L 

lemmaDrefusalStableNotTermequiv’ (terminate x ) stab y termequiv = _L-elim (stab tt) 
lemmaDrefusalStableNotTermequiv’ (node Q ) 

stab y (termeqnode terequivP) = hasTauOrTickGivesBot hasTauOrTickNo' 

where 

hasTauOrTickNoTau' : ChoiceSet (I Q) l±) 

-i (ChoiceSet (I Q )) x ChoiceSet (T Q ) 
hasTauOrTickNoTau' = hasTauOrTickNoTau terequivP 


hasTauOrTickGivesBot : ChoiceSet (I Q) l±J (ChoiceSet (I Q )) x ChoiceSet (T Q) —> _L 
hasTauOrTickGivesBot (inji x ) = stabToNolnternal+ Q stab x 
hasTauOrTickGivesBot (inj 2 (noti ,, t )) = (proj 2 ’ stab ) t 


o- 


o 
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mutual 

lemmayyyi’ : {lu : LUniv}{c : Choice} — > ( result : Process oo { lu } c l±) ChoiceSet c) 

—> (Q : Process oo {lu} c) 

—> (stab : stable Q ) 

—> BisimForNextP result (inji Q) 

—> Process oo {lu} c 
lemmayyyi’ (inji Q’) Q stab x^ = Q’ 
lemmayyy!' (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv' Q stab y termequivQ ) 

lemmayyy 1 + ' : {lu : LUniv}{c : Choice} — >• ( result : Process oo {lu} c l±l ChoiceSet 

—>■ (Q : Process oo {lu} c ) 

—» (stab : stable Q ) 

—> BisimForNextP result (inji Q) 

—» Process oo {/n} c 
lemmayyyi+’ (inji Q’) Q stab X\ = Q’ 
lemmayyyi+’ (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv' Q stab y termequivQ) 


lemmayyy 2 ' : {lu : LUniv}{c : Choice} — >• ( result : Process oo {lu} c l±) ChoiceSet c) 

— > ( l : List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c ) 

—» (stab : stable Q) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP {lu} l result P 

—> TrP {lu} l (inji (lemmayyyi’ result Q stab bisim)) P 

lemmayyy 2 ’ (inji Q’) l P Q stab bisim tr = tr 
lemmayyy 2 ' (inj 2 y) l P Q stab termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv' Q stab y termequivQ) 


lemmayyy 2 +’ : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±J ChoiceSet 

— > ( l : List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—» ( stab+ : stable Q) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP+ {lu} l result P 

—>■ TrP+ {lu} l (inji (lemmayyyi' result Q stab+ bisim)) P 


<y 


-o 
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lemmayyy 2 +' (injx Q’) l P Q stab bisim tr = tr 
lemmayyy 2 +' (inj 2 y) l P Q stab termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


Iemmayyy 3 ’ : {lu : LUniv}{c : Choice} — > ( result : Process oo { lu } c l±l ChoiceSet c) 

—¥ (Q \ Process oo {lu} c) 

—> ( stab : stable Q ) 

—> ( bisim : BisimForNextP result (inji Q)) 

—> Bisimw (lemmayyyi’ result Q stab bisim) Q 
lemmayyys’ (injx Q’) Q stab bisim = bisim 
lemmayyys’ (inj 2 y) Q stab termequivQ — 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 

--\bisimilarityProofsWithSchneiderStablethreeParttwo 
--@BEGIN@PartTwo 

module _ {lu : LUniv}{c : Choice} 

( P P’ : Processoo oo c) 

(PP’ : Bisimwoo {00} P P’){1 : List (Label lu)) 

( Q ’: Process 00 {lu} c) 

( tr’ : TrPoo / (injx Q’) P’) 

(stab’: stable Q’) where 
--0HIDE-BEG 

bisimTraceTrPooQcom : Process 00 c 1+1 ChoiceSet c 
bisimTraceTrPooQcom = bisimTraceTrPoox P P’ PP ’ l (injx Q) tr’ 


bisimTraceTrPootrcom 


bisimTraceTrPootrcom 


TrPoo {lu} l (bisimTraceTrPoox P P’ PP’ l 
(injx Q’) tr’) P 

= bisimTraceTrPoo 2 P P’ PP’ l (injx Q’) tr’ 


bisimTraceTrPooQQ'com : BisimForNextP (bisimTraceTrPoox P P’ PP’l 

(injx Q’) tr’) (injx Q’) 

bisimTraceTrPooQQ’com = bisimTraceTrPoo 3 P P’ PP’ l (injx Q ’) tr’ 


bisimTraceTrPooQ : Process 00 {lu} c 

bisimTraceTrPooQ = lemmayyyi’ bisimTraceTrPooQcom Q’ stab’ 


O- 


o 
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bisimTraceTrPooQQ'com 


bisimTraceTrPootr : TrPcx) { lu } l (inji bisimTraceTrPooQ) P 
bisimTraceTrPootr = lemmayyy 2 ’ (bisimTraceTrPooQcom) l (forcep P) 

Q’ stab’ bisimTraceTrP 
bisimTraceTrP 


bisimTraceTrPooQQ’ : Bisimw bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ’ = lemmayyy 3 ’ bisimTraceTrPooQcom Q’ stab’ 

bisimTraceTrPooQQ'com 


--0HIDE-END 

bisimTraceTrPooQhat : Process oo {lu} c 
--0HIDE-BEG 

bisimTraceTrPooQhat = nonDivBecomeStable! c bisimTraceTrPooQ 

(bisimStablelmpliesNotDivergent c 
bisimTraceTrPooQ Q’ 
bisimTraceTrPooQQ’ stab’ 
(stablelmpliesNonDiv Q’stab’)) 


bisimTraceTrPootrhat : TrP {lu} [] (inji bisimTraceTrPooQhat) bisimTraceTrPooQ 
bisimTraceTrPootrhat = nonDivBecomeStable 2 c 

bisimTraceTrPooQ 

(bisimStablelmpliesNc 

bisimTraceTrPooQ 

bisimTraceTrPooQC 

(stablelmpliesNonD 


--0HIDE-END 

bisimTraceTrPooQhatQ’ : Bisimw bisimTraceTrPooQhat Q’ 

--0HIDE-BEG 

bisimTraceTrPooQhatQ’ = bisimPPWithEmptyTr bisimTraceTrPooQ Q’ bisimTraceTrPooQQ’ 

(bisimStablelmpliesNotDivergent c bisimTraceTrPooQ Q’ bisimTrat 


a 
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(stablelmpliesNonDiv Q’ stab’)) bisimTraceTrPootrhat 


bisimTraceTrPoostabSchQhat : stableSch bisimTraceTrPcx)Qhat 
bisimTraceTrPoostabSchQhat = nonDivBecomeStable 3 c bisimTraceTrPooQ 

(bisimStablelmpliesNotDivergent c bisimTraceTrPooQ Q’ bisimTrac 
(stablelmpliesNonDiv Q’stab’)) 


--0HIDE-END 

bisimTraceTrPcxjstabQhat : stable bisimTraceTrPcx)Qhat 
--0HIDE-BEG 

bisimTraceTrPcxjstabQhat = stabSchBisim2stabRosclsStabRosc bisimTraceTrPooQhat Q’ bisimTraceT 

bisimTraceTrPcx)StabSchQhat 

bisimTraceTrPootrhati : TrPoo { lu } (l ++ []) (inji bisimTraceTrPooQhat) P 
bisimTraceTrPootrhati = trPAppendTrwoo c P bisimTraceTrPooQ l [] (inji bisimTraceTrPooQhat) 

--0HIDE-END 

bisimTraceTrPootrhat 2 : TrPoo {lu} l (inj x bisimTraceTrPooQhat) P 


--mm 

bisimTraceTrPootrhat 2 = subst (A l’ —>■ TrPoo {lu} V (inji bisimTraceTrPooQhat) P) eql bisimTra 
eql : (l —f [] ) = l 
eql = lemEqList l 


A. 12 bisimilarityProofsWithSchneiderStable3Part2 Weaker^ 


--OPREFIXObisimilarityProofsWithSchneiderStablethreeParttwoWeakerVersion 
module bisimilarityProofsWithSchneiderStable3Part2WeakerVersion where 


open import process 
open import choiceSetU 
open import labelUniv 
open import Size 

open import Relation.Binary.PropositionalEquality 
open import Data.Unit.Base 
open import Data.Empty 


a 


o 
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open import Data.List 

open import Data.Sum 

open import TraceWithNextProcess 

open import dataAuxFunction 

open import fdi 

open import fdiRefusal 

open import bisimilarity 

open import bisimSym 

open import Data.Bool renaming (T to True) 

open import bisimForNextProcess 

open import tracelmpliesTraceP 

open import bisimlmpliesBisim 

open import fdi 

open import auxData 

open import bisimilarityProofsWithSchneiderStable3 
open import bisimSym 

open import bisimilarityProofsWithSchneiderStable 
mutual 

schStabl\loTraceTolnj2+ : {lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 

( stabSchP : stableSch+ P ) 

( a : ChoiceSet c) 

( tr : TrP+ [] (inj 2 a) P) 

( notick : -> (ChoiceSet (T F))) 

JL 

schStabNoTraceTolnj2+ P stabSchP a (intc .[] . ( inj 2 a) tauP tr) = _L-elim ( stabSchP tauP ) 
schStabNoTraceTolnj2+ P stabSchP .(PT P x ) (terc x) y = y x 

mutual 

--YbisimilarityProofsWithSchneiderStablethreeParttwo 
--OBEGINQPartOne 

stabSchBisim2stabRosclsStabRosc : {lu : LUniv}{c : Choice} 

(P P’: Process oo {lu} c ) 

(PP’ : Bisimw P P’) 

( stabP’: stable P’) 

( stabSchP : stableSch P) 

—> stable P 

stabSchBisim2stabRosclsStabRosc 
(terminate x) (terminate xi) 


a 
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(eqterminate terequiv ) stabP’ stabSchP = stabP’ 
stabSchBisim2stabRosclsStabRosc 
(terminate x) (node P’) 

(eqterminate (termeqnode terequivP’)) 

( P’stabSch ,, notickP’) stabSchP _ 

= tauOrTickNoTauP’ImpliesConclusion tauOrTickNoTauP’ where 

tauOrTickNoTauP’ : ChoiceSet (I P’) l±l (-> (ChoiceSet (I P’)) 

x ChoiceSet (T P’)) 

tauOrTickNoTauP’ = hasTauOrTickNoTau terequivP’ 

tauOrTickNoTauP'ImpliesConclusion : ChoiceSet (I P’) 

l±l (-1 (ChoiceSet (I P’)) 

x ChoiceSet (T n) -+ jl 

tauOrTickNoTauP'ImpliesConclusion (inji tauChoiceP’) 

= P’stabSch tauChoiceP’ 

tauOrTickNoTauP’ImpliesConclusion (inj 2 (_ ,, tickChoiceP’)) 

= notickP’ tickChoiceP’ 


stabSchBisim2stabRosclsStabRosc 
(terminate x ) .(terminate _) (eqterminater terequiv) 
stabP’ stabSchP 
= stabP’ 

stabSchBisim2stabRosclsStabRosc 
(node P) (terminate x ) PP’ stabP’ stabSchP 
= _L-elim (stabP’ ) 
sta bSch B isim2sta bRoscIsSta bRosc 
(node P ) (node P’) (eqnode bisimQQ ’) (stabSchP ’ ,, noTickP’) 
stabSchP 

= stabSchP ,, noTickP 
where 

traceToTickP : (t : ChoiceSet (T P)) —y TrP+ [] (inj 2 (PT P t )) P’ 
traceToTickP = bisimTtr bisimQQ’ 

noTickP : -> (ChoiceSet (T P)) 

noTickP t = schStabNoTraceTolnj2+ P’ stabSchP’ (PT P t ) 
(traceToTickP t) noTickP’ 


--SEND 


a 


-o 
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stabSchBisim2stabRosclsStabRosc+ : {lu : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c ) 

(PP’: Bisimw+ P P’) 

(stabP’ : stable+ P’) 

( stabSchP : stableSch+ P) 

—> stable+ P 

stabSchBisim2stabRosclsStabRosc+ P P’ PP’ (stabSchp ’ ,, noTickP’) stabSchP = stabSchP 
where 

traceToTickP : (t : ChoiceSet (T P)) —> TrP+ [] (inj 2 (PT P t)) P’ 
traceToTickP = bisimTtr PP’ 

noTickP : -i (ChoiceSet (T P)) 

noTickP t = schStabNoTraceTolnj2+ P’ stabSchp’ (PT P t) (traceToTickP t) noTickP’ 


stabSchBisim2stabRosclsStabRoscoo : {lu : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c ) 

(PP’: Bisimwoo P P’) 

( stabP ’: stableoo P ’) 

(stabSchP : stableSchoo P) 

—> stableoo P 

stabSchBisim2stabRosclsStabRoscoo P P’ PP’ stabP’ stabSchP = stabSchBisim2stabRosclsS 

(forcep P) (forcep P’) (I 


mutual 

lemmaDrefusalStableNotTermequiv’ : {lu : LUniv}{c : Choice}(Q : Process oo {lu} c ) 

(stab : stable Q ) 

(y : ChoiceSet c) 

(termequivQ : TerminateEquivalent y Q) 

-> _L 

lemmaDrefusalStableNotTermequiv’ (terminate x) stab y termequiv = _L-elim (stab tt) 
lemmaDrefusalStableNotTermequiv’ (node Q ) 
stab y (termeqnode terequivP ) = hasTauOrTickGivesBot hasTauOrTickNoTau’ 
where 

hasTauOrTickNoTau’ : ChoiceSet (I Q) l±l 

-i (ChoiceSet (I Q )) x ChoiceSet (T Q) 
hasTauOrTickNoTau' = hasTauOrTickNoTau terequivP 

hasTauOrTickGivesBot : ChoiceSet (I Q) l±) ^ (ChoiceSet (I Q )) x ChoiceSet (T Q) —> _ 


a 
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hasTauOrTickGivesBot (inji x) = stabToNolnternal+ Q stab x 
hasTauOrTickGivesBot (inj 2 (noti ,, t )) = (proj 2 ’ stab) t 


mutual 

lemmayyyi’ : {lu : LUniv}{c : Choice} — > ( result : 
— > (Q : Process oo {lu} c) 

—>■ (stab : stable Q) 

—>■ BisimForNextP result (inji Q) 

—> Process oo {dz} c 
lemmayyyi’ (inji Q’) Q stab x\ = Q’ 
lemmayyy! 1 (inj 2 y ) Q stab termequivQ = 
_L-elim (lemmaDrefusalStableNotTermequiv’ Q 


Process oo {lu} c l±l ChoiceSet c) 


stab y termequivQ) 


lemmayyy 1 + ’ : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±J ChoiceSet c) 
—» (<5 : Process oo {/n} c) 

—>■ : stable Q ) 

—>■ BisimForNextP result (inji Q) 

—>■ Process oo {lu} c 
lemmayyy 1 + ' (inji Q’) Q stab xi = Q’ 
lemmayyy 1 + ' (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


lemmayyy 2 ’ : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±J ChoiceSet c) 

— > ( l : List (Label lu))(P : Process oo { lu} c)(Q : Process oo {lu} c) 

( stab : stable Q) 

—> (bisim : BisimForNextP result (inji Q)) 

—>■ TrP {lu} l result P 

—> TrP {lu} l (injx (lemmayyy! 1 result Q stab bisim)) P 
lemmayyy 2 ’ (inji Q’) l P Q stab bisim tr = tr 
lemmayyy 2 ’ (inj 2 y) l P Q stab termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


lemmayyy 2 +' : {lu : LUniv}{c : Choice} —$■ (result : Process oo {lu} c l±l ChoiceSet c) 


a 
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— >■ (l : List (Label lu))(P : Process+ oo { lu } c)(Q : Process oo { lu } c) 
—» ( stab+ : stable Q) 

—)■ (bisim : BisimForNextP result (inj x Q)) 

—>■ TrP+ {lu} l result P 

—> TrP+ {lu} l (inji (lemmayyyi’ result Q stabp bisim)) P 
Iemmayyy 2 +’ (inji Q’) l P Q stab bisim tr = tr 
lemmayyy 2 +’ (inj 2 y) l P Q stab termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 


lemmayyys’ : {lu : LUniv}{c : Choice} — >■ ( result : Process oo {lu} c l±) ChoiceSet c) 

—>■ (Q : Process oo {lu} c) 

—> (stab : stable Q) 

—>■ (bisim : BisimForNextP result (injx Q)) 

— y Bisimw (lemmayyyi’ result Q stab bisim) Q 
lemmayyya' (inji Q’) Q stab bisim = bisim 

lemmayyys’ (inj 2 y) Q stab termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv’ Q stab y termequivQ) 

--YbisimilarityProofsWithSchneiderStablethreeParttwoWeakerVersion 

--@BEGIN@PartTwo 

module _ {lu : LUniv}{c : Choice} 

(P P’ : Processoo oo c) 

(PP’ : Bisimwoo { 00 } P P’) 

(l : List (Label lu)) 

(Q’ : Process 00 {lu} c) 

(tr’ : TrPoo l (inji Q’) P’) where 

bisimTraceTrPooQcom : Process 00 c l±l ChoiceSet c 
bisimTraceTrPootrcom : TrPoo {lu} l (bisimTraceTrPooi P P’ PP’ l 

(inji Q’) tr’) P 

bisimTraceTrPooQQ'com : BisimForNextP (bisimTraceTrPooi P P’ PP’l 

(inji Q’) tr’) (inji Q’) 


--@END 


--\bisimilarityProofsWithSchneiderStablethreeParttwo 
--OBEGINOPartTwoProof 

bisimTraceTrPooQcom = bisimTraceTrPooi P P’ PP’ l (inji Q’) tr’ 


O 
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bisimTraceTrPootrcom = bisimTraceTrPoo 2 P P’ PP’ l (inji Q’) tr’ 
bisimTraceTrPooQQ'com = bisimTraceTrPoo 3 P P’ PP’ l (injx Q ’) tr’ 


--(SEND 


A. 13 bisimilarityProofsWithSchneiderStable3Part3.agda 


module bisimilarityProofsWithSchneiderStable3Part3 where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport fdi 

mport fdiRefusal 

mport bisimilarity 

mport bisimSym 

mport Data.Bool renaming (T to True) 

mport bisimForNextProcess 

mport tracelmpliesTraceP 

mport bisimlmpliesBisim 

mport fdi 

mport auxData 

mport bisimilarityProofsWithSchneiderStable3 
mport bisimilarityProofsWithSchneiderStable3Part2 
mport bisimSym 

mport bisimilarityProofsWithSchneiderStable 


mutual 

--@BEGIN@bisimRefusalros 


a 
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bisimRefusalros : {lu : LUniv}{c : Choice} ( P : Process oo { lu } c) 

( P ’: Process oo {lu} c) 

(PP’: Bisimw { 00 } P P’) ( l : List (Label lu)) 

( X : Label lu —* Bool) 

( fail : failure P’ l true X) 

—y failure P l true X 
bisimRefusalros { lu}{c } P P’ PP’ l X 
(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

stabQhat -- (stabSchNoTickIfRos2StablePar Qhat true stabSchQhat { 
drefusehat)) 

where 

Qcom : Process 00 {lu} c l±J ChoiceSet c 

Qcom = bisimTraceTrPx P P’ PP’ l (injx Q’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPx P P’ PP’ l 
(inji Q’) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (injx Q’) tr’ 

QQ'com : BisimForNextP (bisimTraceTrPx P P’ PP’ l 
(injx Q’) tr’) (injx Q) 

QQ’com = bisimTraceTrP 3 P P’ PP’ l (injx Q’) tr’ 

Q : Process 00 {lu} c 

Q = lemmayyyi Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP {lu} l (injx Q) P 

tr = lemmayyy 2 Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process 00 {lu} c 

Qhat = nonDivBecomeStablex c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 

(stablelmpliesNonDiv Q’stab’)) 

trhat : TrP {lu} [] (injx Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’stab’)) 


o 
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QhatQ' : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTr Q Q’ QQ' stab’ 

(bisimStablelmpliesNotDivergent c Q Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


stabQhat : stable Qhat 

stabQhat = stabSchBisim2stabRosclsStabRosc Qhat Q’ QhatQ' stab’ stabSchQhat 
-- stabNoTick : noTicklfRoscoe true Qhat 

-- stabNoTick = {!!} -- bisimwStableToNoTick Qhat Q’ QhatQ’ stab’ stabQhat 

trhat! : TrP { lu } ( l ++ []) (inj x Qhat) P 

trhat! = trPAppendTrw c P Q l [] (inj! Qhat) tr trhat 

eql : [l H—P [] ) = / 

eql = lemEqList l 

trhat 2 : TrP {lu} l (inj! Qhat) P 

trhat 2 = subst (X V —» TrP {lu} l’ (inj! Qhat) P) eql trhat! 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A true drefuse’ 

bisimRefusalros {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp)) 

where 

Qcom : Process oo {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPi P P’ PP’ l (inji Q’) trp’ 

trcom : TrP {lu} l (bisimTraceTrPi P P’ PP ’ l (inji Q’) trp’) P 
trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) Pp ’ 


a 


QQ'com : BisimForNextP 


-o 
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(bisimTraceTrPi P P’ PP’ l (inji Q’) trp’) (inj^ Q’) 
QQ'com = bisimTraceTrP 3 P P’ PP’ l (injx Q ’) trp’ 

Q : Process oo { lu } c 
Q = lemmaxxxi Qcom Q’ divq’ QQ’com 

tr : TrP {lu} l (injx Q) P 

tr = lemmaxxx 2 Qcom l P Q’ divq’ QQ’com trcom 

QQ' : Bisimw Q Q’ 

QQ' = lemmaxxx 3 Qcom l Q’ divq’ QQ'com 

Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ' 

divp : DivergentProcess oo {lu} c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q’Q divq’ 


--@END 


--@BEGIN@bisimRefusalrosplus 

mutual 

bisimRefusalros+ : {lu : LUniv}{c : Choice} ( P : Process+ oo {lu} c) 

(P’: Process+ oo {lu} c ) 

[PP’ : Bisimw+ { 00 } P P ’) 

(l : List (Label lu)) 

(X : Label lu —y Bool) 

(fail : failure+ P’ l true X) 

—>• failure+ P l true X 
bisimRefusalros+ {lu}{c} P P’ PP’ l X 

(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 stabQhat 

-- (stabSchNoTickIfRos2StablePar Qhat true stabSchQhat stabNoTick) 
drefusehat)) 

where 

Qcom : Process 00 {lu} c l±l ChoiceSet c 

Qcom = bisimTraceTrPx+ P P’ PP’ l (injx Q’) t r ’ 


o 


-o 




407 


A. Agda Code 

o-o 


trcom : TrP+ l (bisimTraceTrPx + P P’ PP’ l (inji Q’) tr’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) tr’ 

QQ'com : BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l (inji Q’) tr’) (inji Q ’) 
QQ’com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) tr’ 

Q : Process oo {lu} c 

Q = lemmayyyx Qcom Q’ stab’ X drefuse’ QQ’com 
tr : TrP+ {lu} l (inji Q) P 

tr = lemmayyy 2 + Qcom l P Q’ stab’ X drefuse’ QQ'com trcom 
QQ' : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ’com 

Qhat : Process oo {lu} c 

Qhat = nonDivBecomeStablex c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


trhat : TrP {lu} [] (injx Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 

(stablelmpliesNonDiv Q’ stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ’ = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 

(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 

(stablelmpliesNonDiv Q’ stab’)) 

{- stabSchQhat : stableSch Qhat stabSchQhat = {!!} -C-nonDivBecomeStable 3 c Q (bisiir 
stabQhat : stable Qhat 

stabQhat = stabSchBisim2stabRosclsStabRosc Qhat Q’ QhatQ’ stab ’ stabSchQhat 


a 


o 
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stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’QhatQ' stab’ stabQhat 


trhati : TrP+ { lu } ( l ++ []) (inji Qhat) P 
trhati = trPAppendTrw+ c P Q l [] (inji Qhat) tr trhat 

eql : (/ H—f- [] ) = l 

eql = lemEqList l 

trhat 2 : TrP+ {lu} l (inji Qhat) P 

trhat 2 = subst (X l’ —» TrP+ {lu} l’ (inji Qhat) P ) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’QhatQ’) A true drefuse’ 


bisimRefusalros+ {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp) ) 

where 

Qcom : Process oo {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPi+ {lu} P P’ PP’ l (inji Q ’) trp’ 

trcom : TrP+ {lu} l (bisimTraceTrPi+ P P’ PP’ l (inji Q ’) trp’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q ’) trp’ 

QQ’com : BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l ( inji Q’) trp’) (inji Q’) 
QQ'com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) trp’ 

Q : Process oo {lu} c 
Q = lemmaxxxi Qcom Q’ divq’ QQ’com 


tr : TrP+ {lu} l (inji Q) P 

tr = lemmaxxx 2 + Qcom l P Q’ divq’ QQ’com trcom 


o 


QQ’ : Bisimw Q Q’ 

QQ' = lemmaxxx 3 Qcom l Q’ divq’ QQ'com 


-o 
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Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ' 

divp : DivergentProcess oo { lu } c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q’Q divq’ 


--(SEND 


--(SBEGIN(SbisimImFdiTwo 

bisimlmFDI 2 : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c) 

( P ’: Process oo {lu} c) 

(. PP ’: Bisimw { 00 } P P’) 

—> P Cfdi 2 ros P’ 

bisimlmFDI 2 {lu}{c} P P’ PP’ = bisimRefusalros P P’ PP’ 

bisimlmFDI 2 r : {lu : LUniv}{c : Choice} ( P : Process 00 {lu} c ) 

( P ’: Process 00 {lu} c ) 

(PP’: Bisimw {00} P P’) 

—> P’ Cfdi 2 ros P 

bisimlmFDI 2 r {lu}{c} P P’ PP’ = bisimlmFDI 2 P’ P (BismwSym P P’ PP’) 


--(SEND 


bisimlmFDI 2 + : {lu : LUniv}{c : Choice} ( P : Process-P 00 {lu} c ) 

(P’: Process+ 00 {lu} c ) 

(PP’: Bisimw+ {00} P P ’) 

—>■ P Cfdi 2 ros+ P’ 

bisimlmFDI 2 + {lu}{c} P P’ PP’ = bisimRefusalros+ P P’ PP’ 

bisimlmFDI 2 r+ : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c ) 

(P’: Process-F 00 {lu} c ) 

(PP’: Bisimw+ {00} P P’) 

—> P’ Cfdi 2 ros+ P 

bisimlmFDI 2 r+ {lu}{c} P P’ PP’ = bisimlmFDI 2 + P’ P (BismwSym-P P P’ PP’) 


a 
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A. 14 bisimilarityProofsWithSchneiderStable.agda 


--@PREFIX@bisimilarityProofs 

module bisimilarityProofsWithSchneiderStable where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport fdi 

mport fdiRefusal 

mport bisimilarity 

mport bisimSym 

mport Data.Bool renaming (T to True) 

mport bisimForNextProcess 

mport tracelmpliesTraceP 

mport bisimlmpliesBisim 

mport fdi 

mport auxData 


mutual 

nondivImpliesIPornotIPS : {lu : LUniv}{c : Choice}(F : Process+ oo { lu } c) 

(nondiv : NonDivergent+ P) 

—* ChoiceSet (I P) l±) -i (ChoiceSet (I P)) 
nondivImpliesIPornotIPS {c} P 

(nondiv _ chemptyornot) = chemptyornot 


mutual 


o 


-o 
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swapChoiceSetsS : {lu : LUniv}{c : Choice}(P P’ : Process+ oo { lu } c) 

(PP’ : Bisimw+ {00} P P’) 

(nondiv : NonDivergent+ P) 

—y ChoiceSet (I P’) l±) -1 (ChoiceSet (I P’)) 
swapChoiceSetsS {c} P P’PP’nond 
= nondivImpliesIPornotlPS P’ (nondiv+ PP’ nond) 


mutual 

stablelmpliesNonDivooS : {lu : LUniv}{c : Choice}(F : Processoo 00 {lu} c) 

(PS : stableoo P) — y NonDivergentoo P 

forceND (stablelmpliesNonDivooS P PS) = stablelmpliesNonDivS (forcep P) PS 

stablelmpliesNonDivS : {lu : LUniv}{c : Choice}(P : Process 00 {lu} c) 

(PS : stable P) 

—> NonDivergent P 

stablelmpliesNonDivS (terminate x) PS = tt 
stablelmpliesNonDivS (node x) PS = stablelmpliesNonDiv+S x PS 

stablelmpliesNonDiv+S : {lu : LUniv}{c : Choice}(P : Process+ 00 {lu} c) 

(PS : stable+ P) — y NonDivergent+ P 
stablelmpliesNonDiv+S P PS = nondiv 

(stablelmpliesNonDiv+auxS P PS) (inj 2 (stabToNolnternal+ P PS)) 

stablelmpliesNonDiv+auxS : {lu : LUniv}{c : Choice}(P : Process+ 00 {lu} c) 

(PS : stable+ P)(i : ChoiceSet (I P)) 

—> NonDivergentoo (PI P i) 

stablelmpliesNonDiv+auxS P PS i = _L-elim (stabToNolnternal+ P PS i) 


mutual 

TerlmpliesNotDivergentaux+S : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent+ a P) 

—> NonDivergent+ P 

TerlmpliesNotDivergentaux+S c P a terequiv = nondiv 

(X i —^ TerlmpliesNotDivergentauxooS c 
(PI P i) a (onlylntChoice terequiv i)) 

(hasTauOrNotTau terequiv) 


a 


-o 
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TerlmpliesNotDivergentauxS : {lu : LUniv}(c : Choice)(P : Process oo { lu } c) 

(a : ChoiceSet c) 

(terequiv : TerminateEquivalent a P) 

—> NonDivergent P 

TerlmpliesNotDivergentauxS c (terminate x ) a terequiv = tt 
TerlmpliesNotDivergentauxS c (node x) a (termeqnode terequivP) 

= TerlmpliesNotDivergentaux+S c x a terequivP 

TerlmpliesNotDivergentauxooS : {lu : LUniv}(c : Choice)(P : Processoo oo {lu} c) 

(a : ChoiceSet c) 

( terequiv : TerminateEquivalent a (forcep P )) 

—> NonDivergentoo P 

forceND (TerlmpliesNotDivergentauxooS c P a terequiv ) 

= TerlmpliesNotDivergentauxS c (forcep P) a terequiv 


--@BEGIN@bisimStableImpliesNotDivergent 

mutual 

bisimStablelmpliesNotDivergentooS : {lu : LUniv}(c : Choice) 

(P P’ : Processoo oo {lu} c ) 

(PP’: Bisimwoo P P’) 

(PS’: stableoo P’) 

(nonDivP ’: NonDivergentoo P’) 

—> NonDivergentoo P 

forceND (bisimStablelmpliesNotDivergentooS c P P’ PP’ PS’ nonDivP’) 

= bisimStablelmpliesNotDivergentS c (forcep P) 

(forcep P’) 

(forceB PP’) 

PS” (forceND nonDivP’) 


bisimStablelmpliesNotDivergentS : {lu : LUniv}(c : Choice) 

(P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) 

(PS’: stable P’) 

(nonDivP’: NonDivergent P’) 

—> NonDivergent P 

bisimStablelmpliesNotDivergentS c (terminate x) P’ PP’ PS’ nonDivP’ = tt 
bisimStablelmpliesNotDivergentS c (node P) (terminate a) 


o 


-o 
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(eqterminater (termeqnode terequivP )) 

PS’ nonDivP’ = 

TerlmpliesNotDivergentauxS c (node P ) 
a ((termeqnode terequivP )) 

bisimStablelmpliesNotDivergentS c (node P) (node P’) (eqnode PP ’) PS’ 

nonDivP’ = bisimStablelmpliesNotDivergent+S 

c P P’ PP’ PS’ nonDivP’ 


bisimStablelmpliesNotDivergent+S : {lu : LUniv}(c : Choice) 

(P P’ : Process+ oo {lu} c ) 

(PP’ : Bisimw+ P P’) 

(PS’ : stable+ P’) 

(nonDivP’ : NonDivergent+ P’) 

—> NonDivergent+ P 
bisimStablelmpliesNotDivergent+S c P P’ PP’ PS’ nonDivP’ 

= nondiv+r PP’ nonDivP’ 


--(SEND 


--@BEGIN@nonDivBecomeStable 


mutual 

nonDivBecomeStableooiS : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(nonDivP : NonDivergentoo P) 

—> Process oo {lu} c 

nonDivBecomeStableooiS c P nonDivP = nonDivBecomeStablexS 

c (forcep P) (forceND nonDivP ) 


nonDivBecomeStableoo 2 S : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

(nonDivP : NonDivergentoo P) 

—y TrPoo {lu} [](inji 

(nonDivBecomeStableooiS c P nonDivP )) P 
nonDivBecomeStableoo2S c P nonDivP = nonDivBecomeStable 2 S 

c (forcep P) (forceND nonDivP ) 

nonDivBecomeStableoo 3 S : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 


a 


o 
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(nonDivP : NonDivergentoo P) 

—> stableSch (nonDivBecomeStableooiS 

c P nonDivP) 

nonDivBecomeStableoo 3 S c P nonDivP = nonDivBecomeStable 3 S 

c (forcep P ) (forceND nonDivP) 


nonDivBecomeStable+iS : {lu : LUniv}(c : Choice) 

( P : Process+ oo {lu} c) 

(nonDivP : NonDivergent+ P) 

—> Process oo {lu} c 

nonDivBecomeStable+iS c P (nondiv x (inji int)) = 

nonDivBecomeStableooiS 
c (PI P int) (x int) 

nonDivBecomeStable+iS c P (nondiv x (inj 2 stab)) = node P 


nonDivBecomeStable+ 2 S : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

(nonDivP : NonDivergent+ P) 

TrP+ {lu} [] (inji 

(nonDivBecomeStable+iS c P nonDivP)) P 
nonDivBecomeStable+ 2 S c P (nondiv x (inji int)) = intc [] (inji 

(nonDivBecomeStable+iS c P 
(nondiv x (inj x int)))) int 
(nonDivBecomeStableoo 2 S c 

(PI P int) (x int)) 

nonDivBecomeStable+ 2 S c P (nondiv x (inj 2 stab)) = empty 

nonDivBecomeStable+ 3 S : {lu : LUniv}(c : Choice) 

(P : Process+ oo {lu} c) 

( nonDivP : NonDivergent+ P) 

—*■ stableSch -- stable 

(nonDivBecomeStable+iS c P nonDivP) 
nonDivBecomeStable+ 3 S c P (nondiv x (inji Int)) = 

nonDivBecomeStableoo 3 S c 

(PI P int) (x int) 

nonDivBecomeStable+ 3 S c P (nondiv x (inj 2 stab)) = stab 


nonDivBecomeStableiS : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c) 

(nonDivP : NonDivergent P) 


o 


-o 
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—> Process oo {lu} c 

nonDivBecomeStablexS c (terminate x) nonDivP = terminate x 
nonDivBecomeStablexS c (node x) nonDivP = 

nonDivBecomeStable+iS c x nonDivP 


nonDivBecomeStable 2 S : {lu : LUniv}(c : Choice) 

(P : Process oo { lu} c ) 

(nonDivP : Non Divergent P) 

TrP {lu} [] (injx 

(nonDivBecomeStablexS c P nonDivP )) P 
nonDivBecomeStable 2 S c (terminate x) nonDivP = empty x 
nonDivBecomeStable 2 S c (node x) nonDivP 

= tnode (nonDivBecomeStable+ 2 S c x nonDivP ) 


nonDivBecomeStable 3 S : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c ) 

(nonDivP : NonDivergent P) 

—> stableSch (nonDivBecomeStablexS c P nonDivP ) 
nonDivBecomeStable 3 S c (terminate x) nonDivP = _ 
nonDivBecomeStable 3 S c (node x) nonDivP = nonDivBecomeStable+ 3 S c 

x nonDivP 


--(SEND 


mutual 

nonDivBecomesStableBisimProofooS : {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 

(nondiv’ : NonDivergentoo P) 

(a : ChoiceSet c) 

(terequivP : TerminateEquivalentoo a P) 

—>■ Bisimw (nonDivBecomeStableooxS c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProofooS P nondiv’ a terequivP = 
nonDivBecomesStableBisimProofS (forcep P) (forceND nondiv’) a terequivP 


nonDivBecomesStableBisimProofS : {lu : LUniv}{c : Choice}(P : Process oo {lu} c ) 

{nondiv’ : NonDivergent P) 

{a : ChoiceSet c) 

{terequivP : TerminateEquivalent a P ) 

—> Bisimw (nonDivBecomeStablexS c P nondiv’) (terminate a) 


a 


o 
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nonDivBecomesStableBisimProofS (terminate x) nondiv’.x termeqterm 

= BismwRef (terminate x) 

nonDivBecomesStableBisimProofS (node x) nondiv’ a 

(termeqnode terequivP ) = 

nonDivBecomesStableBisimProof+S x nondiv’ a terequivP 

nonDivBecomesStableBisimProof+S : {lu : LUniv}{c : Choice} (P : Process+ oo { lu} c) 

( nondiv’ : NonDivergent+ P) 

(a : ChoiceSet c) 

( terequivP : TerminateEquivalent+ a P) 

—y Bisimw (nonDivBecomeStable+iS c P nondiv’) (terminate a) 
nonDivBecomesStableBisimProof+S P (nondiv x (inji int )) a terequivP 

= nonDivBecomesStableBisimProofooS (PI P int) (x int) a 

(onlylntChoice terequivP int) 

nonDivBecomesStableBisimProof+S P (nondiv x (inj 2 stab)) a terequivP 

= eqterminater (termeqnode terequivP) 


mutual 

emptyTrPtoQImpliesEqS : {lu : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

(PS’ : stable P)(tr : TrP {lu} [] (inji P’) P) 

P= P’ 

emptyTrPtoQImpliesEqS (terminate x) .(terminate x) pat (empty .x) = refl 
emptyTrPtoQImpliesEqS (node x) .(node x) PS’ (tnode empty) = refl 
emptyTrPtoQImpliesEqS (node Q) P’ PS’ 

(tnode (intc .[] .(inji P’) ^1 £2)) = _L-elim (stabToNolnternal+ Q PS’ xi) 

emptyTrPtoQImpliesEq+S : {lu : LUniv}{c : Choice}(P : Process+ 00 {lu} c)(P’ : Proi 

(PS’: stable+ P)(tr : TrP+ {lu} [] (injx P’) P) 

—> node P = P’ 

emptyTrPtoQImpliesEq+S P P’ PS’ tr 

= emptyTrPtoQImpliesEqS (node P) P’ PS’ (tnode tr) 


--@BEGIN@bisimPPWithEmptyTr 

mutual 

bisimPPWithEmptyTrooS : {lu : LUniv}{c : Choice} 

(P P ’: Processoo 00 {lu} c) 


o 


-o 
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(PP’ : Bisimwoo P P’) (PS’: stableoo P’) 

(nonDivP : NonDivergentoo P) 

(tr : TrPcx) { lu } [] 

(injx (nonDivBecomeStableooxS c P nonDivP )) P) 

—y Bisimw (nonDivBecomeStableooiS c P nonDivP) 

(forcep P ’) 

bisimPPWithEmptyTrooS P P’ PP’ PS’ nonDivP tr = 

bisimPPWithEmptyTrS (forcep P) (forcep P’) 

(forceB PP’) PS’ (forceND nonDivP ) tr 


bisimPPWithEmptyTrS : {lu : LUniv}{c : Choice} 

(P P’ : Process oo {lu} c) 

(PP’ : Bisimw P P’) (PS’ : stable P’) 

(nonDivP : NonDivergent P) 

(tr : TrP {lu} [] (inji 

(nonDivBecomeStableiS {lu} c P nonDivP )) P) 
—> Bisimw (nonDivBecomeStableiS {lu} c P nonDivP ) P’ 
bisimPPWithEmptyTrS {lu} {c} .(terminate x) (terminate x\) 

PP’ PS’ nonDivP (empty x) = PP’ 
bisimPPWithEmptyTrS (node P) (terminate a) 

(eqterminater (termeqnode terequivP )) 

PS’ (nondiv nondivPI (injx x)) (tnode tr) = 
nonDivBecomesStableBisimProofooS (PI P x) 
(nondivPI x) a (onlylntChoice terequivP x) 
bisimPPWithEmptyTrS (node P) (terminate x) 

(eqterminater (termeqnode terequivP)) 

PS’ (nondiv x\ (inj 2 y)) (tnode tr) = 
eqterminater (termeqnode terequivP) 
bisimPPWithEmptyTrS (terminate P) (node P’) PP’ PS’ nonDivP tr = 

PP’ 

bisimPPWithEmptyTrS (node P) (node P’) (eqnode bisimPP’) PS’ 

(nondiv x chemptyornot) (tnode tr) = 
bisimPPWithEmptyTr+S P P’ bisimPP’ 

PS’ (nondiv x chemptyornot) tr 


bisimPPWithEmptyTr+S : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c) 

(PP’: Bisimw+ P P’) (PS’: stable+ P’) 


a 
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(nonDivP : NonDivergent+ P) 

(tr : TrP+ { lu} [] (inji 
(nonDivBecomeStable+iS c P nonDivP )) P) 
—> Bisimw (nonDivBecomeStable+xS c P nonDivP ) 

(node P’) 

bisimPPWithEmptyTr+S { lu}{c } P P’ PP’ PS’ 

(nondiv nondiv’ (injx X\)) tr = PP’” 

where 


P’~ : Processoo oo {lu} c 
P’~ = bisimlP' PP’ x\ 


trP’P'~ : P’ ^+*[ [] ] (forcep (P’~)) 
trP’P’~ = bisimltr PP’ x i 


P'=P’~ : node P’ = forcep P’~ {00} 

P'=P’~ = emptyTrPtoQImpliesEq+S P’ 

(forcep P’~) P 5 ' , trP'P’~ 

P’~=P’ : forcep P'~ {00} = node P’ 

P’~=P’ rewrite P'=P’~ = refl 

P’~stable : stable (forcep P'~) 

P’~stable rewrite P’~=P’ = PS’ 

PP” : Bisimw (nonDivBecomeStableiS c 

(forcep (PI P.'Ci)) (forceND (nondiv’ xi)) ) 
(forcep P’~) 

PP” = bisimPPWithEmptyTrS (forcep (PI P x 1)) 

(forcep P’ ~ {00}) 

(forceB (bisimlnext PP 'zi)) 

P’~stable (forceND ( nondiv ’ d)) 
(nonDivBecomeStable 2 S c 
(forcep (PI P x 1)) (forceND (nondiv’ Xi))) 

PP’” : Bisimw (nonDivBecomeStableooxS c 

(PI P x 1) (nondiv’ xi)) (node P’) 
PP’” rewrite P’=P’~ = PP” 

bisimPPWithEmptyTr+S P P’ PP’ PS’ 

(nondiv x (inj 2 y )) empty = eqnode PP’ 


<y 
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bisimPPWithEmptyTr+S P P’ PP’ PS’ 

(nondiv x (inj 2 y)) 

(intc .[] .( inj! 

(node P)) x\ x 2 ) = eqnode PP’ 


--0END 


mutual 

choicesetornotBismS : {i : Size}{/?z : LUniv}{c : Choice}(P P’ : Process+ oo { lu } c)(PP’ : Bisims+ 

( cc’ : ChoiceSet (I P) l±) -i (ChoiceSet (I P ))) 

—> ChoiceSet (I P’) l±) -i (ChoiceSet (I P’)) 

choicesetornotBismS {c} P P’ PP’ (inji ip) = inji (bisim 2 l PP’ ip) 
choicesetornotBismS {c} P P’ PP’ (inj 2 notip) = inj 2 (X ip’ —> notip (bisim 2 lr PP’ ip’)) 


mutual 

nondivLemBisimsooS : {i : Size}{/w : LUniv}{c : Choice}(P P’: Processcxa oo {lu} c) 

—> Bisimsoo {*} P P’ 

—y NonDivergentoo {«} P —> NonDivergentoo {z} P’ 
forceND (nondivLemBisimsooS P P’ PP’ nP) = nondivLemBisimsS (forcep P) (forcep P’) (forceB PF 

nondivLemBisimsS : {i : Size}{/n : LUniv}{c : Choice}(P P ’: Process oo {lu} c) 

—> Bisims {z} P P’ 

—)■ NonDivergent {z} P —> NonDivergent {z} P’ 
nondivLemBisimsS .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 

nondivLemBisimsS .(node Q) .(node Q’) (eqnode {Q} {(?’} QQ’) nP = nondivLemBisims+S Q Q’ Q 


nondivLemBisims+S : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 

—)■ Bisims+ {z} P P’ 

—> NonDivergent+ {z} P —> NonDivergent+ {z} P’ 
nondivLemBisims+S P P’ PP’ (nondiv / p) = 
nondiv (X z —>• nondivLemBisimsooS (PI P ( bisi m 21 r PP’ i)) (PI P’ i) (bisimlNextr PP’ i) 
(/(bisim 2 lr PP’ i)) ) (choicesetornotBismS P P’ PP’ p) 
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mutual 

divLemBisimsooS : {z : Size}{/?z : LUniv}{c : Choice}(P P’ : Processcx) oo { lu } c) 

—* Bisimsoo {z} P P’ 

—> DivergentProcessoo i c P —>• DivergentProcessoo i c P’ 
divLemBisimsooS P P’ PP’ nP .forcediv = divLemBisimsS (forcep P ) (forcep P’) (forceB PP 

divLemBisimsS : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—» Bisims {z} P P’ 

—> DivergentProcess icP 4 DivergentProcess i c P’ 
divLemBisimsS .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 
divLemBisimsS .(node P) .(node P’) (eqnode {.P} {P’} PP’) (div P divP ) = div P’ (divLem 


divLemBisims+S : {i : Size}{/n : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—> DivergentProcess+ i c P —* DivergentProcess+ i c P’ 
divLemBisims+S P P’ PP’ (div+ int Q ) = div+ (bisim 2 l PP’ int) 
(divLemBisimsooS (PI P int) (PI P’ ( bisi m 21 PP’ int)) (bisimlNext PP’int) Q) 


mutual 

nondivLemBisimsoorS : {i : Size}{/?x : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—> Bisimsoo {*} P P’ 

—» NonDivergentoo {z} P’ —> NonDivergentoo {z} P 
forceND (nondivLemBisimsoorS P P’ PP’ nP) = nondivLemBisimsrS (forcep P) (forc< 

nondivLemBisimsrS : {i : Size}{/w : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

—» Bisims {z} P P’ 

—> NonDivergent {*} P’ —> NonDivergent {z} P 
nondivLemBisimsrS .(terminate a) .(terminate a) (eqterminate {a}) nP = tt 
nondivLemBisimsrS .(node Q) .(node Q’) (eqnode {Q} { Q ’} QQ’) nP = nondivLemBisims+r 


nondivLemBisims+rS : {i : Size}{fu : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—> NonDivergent+ {z} P’ —> NonDivergent+ {z} P 
nondivLemBisims+rS P P’ PP’ (nondiv f p) = 

nondiv (X z — > nondivLemBisimsoorS (PI P i) ((PI P’ (bisim 2 l PP’ i))) (bisimlNext 1 
(/(bisim 2 l PP’ i))) (swapChoiceSetssr P P’ PP’ p) 
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mutual 

divLemBisimsoorS : { z : Size}{/zz : LUniv}{c : Choice}(P P ’: Processoo oo { lu } c) 

—>■ Bisimsoo {z} P P’ 

—>■ DivergentProcessoo i c P’ —>• DivergentProcessoo i c P 
divLemBisimsoorS {z} P P’ PP’ nP .forcediv = divLemBisimsrS (forcep P) (forcep P’) (forceB PP’) ( 

divLemBisimsrS : {z : Siz e}{lu : LUniv}{c : Choice}(P P’ : Process oo { lu } c) 

—y Bisims {z} P P’ 

—> DivergentProcess i c P’ —> DivergentProcess i c P 
divLemBisimsrS .(terminate a) .(terminate a) (eqterminate {a}) nP = nP 

divLemBisimsrS .(node P’) .(node P) (eqnode {P’} {.P} PP’) (div P divP) = div P’ (divLemBisims+ 


divLemBisims+rS : {i : Size}{/zz : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c ) 

—y Bisims+ {z} P P’ 

—>■ DivergentProcess+ z c P’ —> DivergentProcess+ i c P 
divLemBisims+rS P P’ PP’ (div+ int Q ) = div+ (( bisim 2 lr PP’ int )) 

((divLemBisimsoorS (PI P (( bisi m 21 r PP’ int))) (PI P’ int) ((bisiml 


mutual 

stabLemBisimsooS : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Processoo oo {lu} c) 

—>■ Bisimsoo P P’ 

—>■ stableoo P’ —> stableoo P 

stabLemBisimsooS P P’ PP’ PS’ = stabLemBisimsS (forcep P) (forcep P’) (forceB PP’) PS’ 

stabLemBisimsS : {z : Size}{/zz : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

— y Bisims P P’ 

—y stable P’ —> stable P 

stabLemBisimsS .(terminate a) .(terminate a) (eqterminate {a}) PS’ = PS’ 

stabLemBisimsS .(node P ) .(node P’) (eqnode {P} {P’} PP’) PS’ = stabLemBisims+S P P’ F 


stabLemBisims+S : {z : Size}{/zz : LUniv}{c : Choice}(P P ’: Process+ oo {lu} c) 

—> Bisims+ {z} P P’ 

—> stable+ P’ —> stable+ P 

stabLemBisims+S P P’ PP’ (Pnol „ PNoTick) = (X int —> Pnol (bisim 2 l PP’ int)) „ (X t —> PNoTi 
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mutual 

divergentlmpliesNotTermEquiv+S : {lu : LUniv}(c : Choice) 

( P : Process+ oo {lu} c) 

{a : ChoiceSet c) 

(terP : TerminateEquivalent+ a P ) 

(divP : DivergentProcess+ oo {lu} c P ) 

-)• JL 

divergentlmpliesNotTermEquiv+S c P a terequivP (div+ int divP ) = 

divergentlmpliesNotTermEquivooS c (PI Pint) a (onlylntChoice terequivF 

divergentlmpliesNotTermEquivooS : {lu : LUniv}(c : Choice) 

(P : Processoo oo {lu} c ) 

{a : ChoiceSet c) 

(terP : TerminateEquivalentoo a P ) 

{divP : DivergentProcessoo oo {lu} c P ) 

JL 

divergentlmpliesNotTermEquivooS c P a terP divP = divergentlmpliesNotTermEquivS c (fora 


divergentlmpliesNotTermEquivS : {lu : LUniv}(c : Choice) 

(P : Process oo {lu} c ) 

(a : ChoiceSet c) 

{terP : TerminateEquivalent a P ) 

(divP : DivergentProcess oo {lu} c P ) 

->• JL 

divergentlmpliesNotTermEquivS c .(node P) a (termeqnode terequivP ) (div P divP) = 

divergentlmpliesNotTermEquiv+S c P 


mutual 

bisimlmpliesDivergentPreservooS : {lu : LUniv}(c : Choice) (P P’ : Processoo oo {lu} c ) 
(PP J : Bisimwoo { 00 } P P’) 

(divP : DivergentProcessoo 00 -jdv} c P) 

—> DivergentProcessoo 00 {lu} c P’ 
forcediv (bisimlmpliesDivergentPreservooS c P P’ PP’ divP ) = 
bisimlmpliesDivergentPreservS c (forcep P) (forcep P’) (forceB PP’) 


a 
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(forced iv divP) 


bisimlmpliesDivergentPreserv+S : {lu : LUniv}(c : Choice) ( P P’: Process- 1 - oo { lu } c) 
( PP ’: Bisimw+ {00} P P’) 

( divP : DivergentProcess+ 00 {lu} c P ) 

—>• DivergentProcess+ 00 {lu} c P’ 

bisimlmpliesDivergentPreserv+S c P P’ PP’ divP = bisimdiv PP’ divP 

--@BEGIN@bisimImpliesDivergentPreserv 

bisimlmpliesDivergentPreservS : {lu : LUniv}(c : Choice) 

(P P’ : Process 00 {lu} c) 

( PP’ : Bisimw {00} P P’) 

( divP : DivergentProcess 00 {lu} c P ) 

—>• DivergentProcess 00 {lu} c P’ 

bisimlmpliesDivergentPreservS c .(terminate _) P’ (eqterminate x) () 
bisimlmpliesDivergentPreservS c .(node P ) .(terminate a) (eqterminater {a} 

{.(node P)} (termeqnode terequivP)) (div P divP ) 

= _L-elim (divergentlmpliesNotTermEquiv+S c P a terequivP divP ) 
bisimlmpliesDivergentPreservS c .(node P) .(node P’) (eqnode {.P} {P’} PP’) 

(div P divP ) 

= div P’ (bisimlmpliesDivergentPreserv+S c P P’ PP’ divP ) 


--(SEND 


mutual 

bisimStablelmpliesNotDivergentoo’S : {lu : LUniv}(c : Choice) (P P ’: Processoo 00 {lu} c) 

(PP’ : Bisimwoo P P’) 

(PS ’: stableoo P’) 

—)■ NonDivergentcxa P 

forceND (bisimStablelmpliesNotDivergentoo'S c P P’ PP’ PS’) = 

bisimStablelmpliesNotDivergent’S c (forcep P) 

(forcep P’) (forceB PP’) PS’ 


bisimStablelmpliesNotDivergent'S : {lu : LUniv}(c : Choice) (P P’ : Process 00 {lu} c) 

(PP ’: Bisimw P P’) 

(PS’: stable P’) 

—> Non Divergent P 


a 
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bisimStablelmpliesNotDivergent'S c (terminate x ) P’ PP’ PS’ = tt 
bisimStablelmpliesNotDivergent'S c (node P) .(terminate a) 

(eqterminater {a} terequiv ) PS’ = 
TerlmpliesNotDivergentauxS c (node P ) a terequiv 
bisimStablelmpliesNotDivergent’S c (node P) .(node P’) 

(eqnode {.P} {P} PP’) PS’= 
bisimStablelmpliesNotDivergent+’S c P P’ PP’ PS’ 

bisimStablelmpliesNotDivergent+’S : {lu : LUniv}(c : Choice) (P P’ : Process+ oo {lu} c ) 
(PP’ : Bisimw+ P P’) (PS’ : stable+ P’) 

—)■ NonDivergent+ P 

bisimStablelmpliesNotDivergent+'S c P P’ PP’ PS’ = 

nondiv+r PP’ (nondiv (X i — * _L-elim (stabToNolnternal+ P’ PS’ i )) 


lemBisimDRefusalAuxS : {lu : LUniv}(c : Choice) 

(x : ChoiceSet c) 

(P : Process+ oo {lu} c ) 

(hasTauorTickNoTau : ChoiceSet (I P) l±) (-1 (ChoiceSet (I P)) 
(PS 1 : ChoiceSet (I P) —>■ _L) 

—>■ ChoiceSet (T P) 

lemBisimDRefusalAuxS ciP (inji xi) PS = ±-elim (PS X\) 
lemBisimDRefusalAuxS c x P (inj 2 (_ ,, £1)) PS = x\ 


mutual 

bisimDRefusal+S : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c) (P’ : Process+ 00 {fa 

(PS : stable+ P) 

(PP’ : Bisimw+ {00} P P’) 

(X : Label lu —> Bool) 

(isRoscoe : Bool) 

(ref : DRefusal+ P isRoscoe X ) 

—>■ DRefusal+ P J isRoscoe X 

bisimDRefusal+S {c} P P’ PS PP’ X isRoscoe (drefusal noextChlnX noTerm ) = 
drefusal (bisimDRefusal+NoExtChlnXS P P’ PS PP’ X noextChlnX) 

(bisimDRefusalNoTicksIflsRoscoeS P P’ PS PP’ isRoscoe noTerm) 


bisimDRefusalNoTicksIflsRoscoeS : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c ) 


a 
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(P’ : Process+ oo { lu} c) 

(PS : stable+ P) 

(PP’ : Bisimw+ {00} P P’) 

(isRoscoe : Bool) 

(ref \ NoTicksIflsRoscoe P isRoscoe) 

—>■ NoTicksIflsRoscoe P’ isRoscoe 

bisimDRefusalNoTicksIflsRoscoeS {lu} {c} P P’ PS PP’ isRoscoe ref ticklslncl x = 

ref ticklslncl (lemS c P (PT P’ x) path PS) 

where 

path : TrP+ {lu} [] (inj 2 (PT P’ x)) P 
path = bisimTtrr PP’ x 


lemS : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c)(x : ChoiceSet c) 

(tr : TrP+ {lu} [] (inj 2 x) P) 

(PS : stable+ P) — > ChoiceSet (T P) 
lemS c P x (intc .[] .(inj 2 x) x’ X2) PS = _L-elim (stabToNolnternal+ P PS x’) 
lemS c P .(PT P xf) (terc xf) PS = x\ 


bisimDRefusal+NoExtChlnXS : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c) 

(P’ : Process+ 00 {lu} c) 

(PS : stable+ P) 

(PP’ : Bisimw+ {00} P P’) 

(X : Label lu —> Bool) 

(ref: NoExtChlnX P X) 

NoExtChlnX P’X 

bisimDRefusal+NoExtChlnXS {lu}{c} P P’ PS PP’ X ref e x = lem2S c P Q (Lab P’ e) tr PS X 
where 

Q : Process 00 {lu} c 
Q = forcep (PP’ .bisimEP’r e) 

tr : TrP+ {lu} (Lab P’ e :: []) (inj x Q) P 
tr = PP’ .bisimEtrr e 

lem2S : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c)(Q : Process 00 {lu} c) 

(l : Label lu)(tr : TrP+ {lu} (l :: []) (inji Q) P ) 

(PS : stable+ P)(X : Label lu —> Bool )(ref: NoExtChlnX P X)(labX : True (X 1 )) —> _L 
lem2S c P Q .(Lab P x) (extc .[] .(inji Q) x xi) PS X ref labX = ref x labX 
lem2S c P Q l (intc .(/ :: []) .(inji Q) % £1) PS X ref labX = stabToNolnternal+ P PS x 
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bisimDRefusalS : {lu : LUniv}{c : Choice} ( P : Process oo { lu } c) (P’ : Process oo { lu } c) 

(PS : stable P) 

(PP’ : Bisimw {00} P P’) 

(X : Label lu —>• Bool) 

(isRoscoe : Bool) 

( ref : DRefusal P isRoscoe X) 

—> DRefusal P’ isRoscoe X 

bisimDRefusalS (terminate x) (terminate xQ PS PP’ X isRoscoe ref ticklncl = ref ticklncl 
bisimDRefusalS (terminate x) (node Q ) PS (eqterminate (termeqnode terequivP )) X isj 

drefusal (X e — > _L-elim (noExtChoice terequivP e))(X t —*■ _ 
bisimDRefusalS {lu}{c} (node P) (terminate x) PS 

(eqterminater (termeqnode terequivP)) X isRoscoe (drefusal noextChlnX noTerm) ticklr 
= noTerm ticklnc (lemBisimDRefusalAuxS c x P (hasTauOrTickNoTau terequivP] 
bisimDRefusalS (node P) (node P’) PS (eqnode bisimQQ’) X isRoscoe ref = 

bisimDRefusal+S P P’ PS bit 


mutual 

lemmaxxxiS : {lu : LUniv}{c : Choice} — >• ( result : Process 00 {lu} c l±J ChoiceSet c) 

—>• (Q : Process 00 {lu} c) 

—> (divQ : DivergentProcess 00 {lu} c Q) 

—> BisimForNextP result (injx Q) 

—> Process 00 {lu} c 

lemmaxxxiS (inji Q’) Q divQ BisimResultQ = Q’ 

lemmaxxxxS (inj 2 y) Q divQ BisimResultQ = _L-elim (lemmaDivNotTermequiv Q divQ y B 

lemmaxxx 2 S : {lu : LUniv}{c : Choice} —> ( result : Process 00 {lu} c l±l ChoiceSet c) 

—> (l: List (Label lu))(P : Process 00 {lu} c)(Q : Process 00 {lu} c) 

—> (divQ : DivergentProcess 00 {lu} c Q) 

—> (bisimForNext : BisimForNextP result (inji Q)) 

—> (trp : TrP {lu} l result P) 

—>• TrP {lu} l (inji (lemmaxxxxS result Q divQ bisimForNext)) P 

lemmaxxx 2 S (inji x) l P Q divQ bisimForNext trp = trp 

lemmaxxx 2 S (inj 2 y) l P Q divQ bisimForNext trp = _L-elim (lemmaDivNotTermequiv Q di 


lemmaxxx 2 +S : {lu : LUniv}{c : Choice} —> (result : Process 00 {lu} c l±l ChoiceSet c) 
—>■ (l : List (Label lu))(P : Process+ 00 {lu} c)(Q : Process 00 {lu} c) 
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—>• (divQ : DivergentProcess oo {lu} c Q) 

—>■ (bisimForNext : BisimForNextP result (inji Q )) 

—> ( trp-h : TrP+ {lu} l result P ) 

—y TrP+ {lu} l (injx (lemmaxxxiS result Q divQ bisimForNext )) P 
Iemmaxxx2+S (injx x) l P Q divQ bisimForNext trp+ = trp+ 

[emmaxxx 2 +S (inj 2 y) l P Q divQ bisimForNext trp+ = _L-elim (lemmaDivNotTermequiv Q divQ y 

lemmaxxx 3 S : {lu : LUniv}{c : Choice} —(result : Process oo {lu} c l±l ChoiceSet c) 

—>• (l : List (Label lu))(Q : Process oo {lu} c ) 

—> (divQ : DivergentProcess oo {lu} c Q) 

—> (bisimForNext : BisimForNextP result (injx Q)) 

—y Bisimw (lemmaxxxiS result Q divQ bisimForNext ) Q 
lemmaxxx 3 S (injx Q’) l Q divQ bisimForNext — bisimForNext 

lemmaxxx 3 S (inj 2 y) l Q divQ bisimForNext = _L-elim (lemmaDivNotTermequiv Q divQ y bisimFor 


mutual 

lemmayyyiS : {lu : LUniv}{c : Choice} — >■ ( result : 

(Q : Process oo {lu} c ) 

—> (stab : stable Q) 

—y (X : Label lu — > Bool) 

— t DRefusal {lu}{c} Q true X 

—> BisimForNextP result (injx Q) 

—>■ Process oo {lu} c 

lemmayyyiS (injx Q’) Q stab X x X\ = Q’ 

lemmayyyxS (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X 


Process oo {lu} c l±l ChoiceSet c) 


dref stab y termequivQ ) 


lemmayyyi+S : {lu : LUniv}{c : Choice} — > ( result : Process oo {lu} c l±) ChoiceSet c) 

—>■ (Q : Process oo {lu} c ) 

—> (stab : stable Q) 

—y (X : Label lu —> Bool) 

—> DRefusal {lu}{c} Q true X 

—> BisimForNextP result (injx Q) 

—>• Process oo {lu} c 

lemmayyyi+S (injx Q’) Q stab X x x x = Q’ 

lemmayyyx+S (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 
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lemmayyy 2 S : { lu : LUniv}{c : Choice} — >■ ( result : Process oo {lu} c l±l ChoiceSet 

—>■ (l: List (Label lu))(P : Process oo {lu} c)(Q : Process oo {lu} c) 

—>■ (stab : stable Q) 

—» (X : Label lu —> Bool) 

— y (dref: DRefusal {lu}{c} Q true X) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP {lu} l result P 

—> TrP {lu} l (inj! (lemmayyyiS result Q stab X dref bisim)) P 
lemmayyy2S (inji Q’) l P Q stab X dref bisim tr = tr 

lemmayyy2S (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 2 +S : {lu : LUniv}{c : Choice} —>• ( result : Process oo {lu} c l±J ChoiceSet c) 

—> ( l: List (Label lu))(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

—» (stabp : stable Q) 

—» (X : Label lu —> Bool) 

—>■ (dref\ DRefusal {lu}{c} Q true X) 

—> (bisim : BisimForNextP result (inji Q)) 

—> TrP+ {lu} l result P 

—> TrP+ {lu} l (inji (lemmayyyiS result Q stab+ X dref bisim)) P 
lemmayyy 2 +S (inji Q ’) l P Q stab X dref bisim tr = tr 

lemmayyy 2 +S (inj 2 y) l P Q stab X dref termequivQ x = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


lemmayyy 3 S : {lu : LUniv}{c : Choice} —> ( result : Process oo {lu} c l±l ChoiceSet 

—» (Q : Process oo {lu} c) 

—>■ (stab : stable Q) 

—> (X : Label lu —> Bool) 

—>■ (dref\ DRefusal {lu}{c} Q true X) 

—> (bisim '. BisimForNextP result (inji Q)) 

—>■ Bisimw (lemmayyyiS result Q stab X dref bisim) Q 
lemmayyysS (inji Q’) Q stab X dref bisim = bisim 

lemmayyysS (inj 2 y) Q stab X dref termequivQ = 

_L-elim (lemmaDrefusalStableNotTermequiv Q X dref stab y termequivQ) 


o 


-o 
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lemEqListS : {A : Set}(/ : List A) — » l ++ [] = l 
lemEq ListS [] = ref I 

lemEqListS ( x :: l ) = cong (X V —> x :: V) (lemEqListS l ) 

stableNotTerminateEquivauxS : {lu : LUniv}{c : Choice} ( P : Process+ oo { lu } c) 

{x : ChoiceSet c) 

(hasTauOrTickNoTau : ChoiceSet (I P ) l±) 

(-1 (ChoiceSet (I P)) x ChoiceSet (T P ))) 

( stabSch : stableSch+ P) 

( notick : noTicklfRoscoe+ true P) 

->■ A 

stableNotTerminateEquivauxS P x (inji int) stabSch notick = stabSch int 
stableNotTerminateEquivauxS P x (injo (noint „ tick)) stabSch notick = notick tick 

stableNotTerminateEquivS : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(x : ChoiceSet c) 

( terequiv : TerminateEquivalent x P) 

( stab : stable P) 

A 

stableNotTerminateEquivS (terminate x) Xi terequiv stab = stab _ 
stableNotTerminateEquivS (node P) x (termeqnode terequivP) ( stabSch ,, notick) 

= stableNotTerminateEquivauxS P x (hasTauOrTickNoTau terequivP) stabSch notick 

noIntNoTerlmpliesNoTermTraceS : {lu : LUniv}{c : Choice} (P : ProcessA oo {lu} c) 

(x : ChoiceSet c) 

(tr : TrP+ [] (inj 2 x) P) 

( noint : -i (ChoiceSet (I P))) 

( noTer : -> (ChoiceSet (T P))) 

-A A 

noIntNoTerlmpliesNoTermTraceS P x (intc .[] .( inj 2 x) int a; 2 ) noint noTer = noint int 
noIntNoTerlmpliesNoTermTraceS P .(PT P ter} (terc ter’) noint noTer = noTer ter’ 

mutual 

bisimwStableToNoTickS : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

( P’: Process oo {lu} c) 

{PP’ : Bisimw {00} P P’) 

( stabP’ : stable P’) 

(, stabSchP : stableSch P) 


a 


-o 
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—>• noTicklfRoscoe true P 

bisimwStableToNoTickS (terminate x) P’ (eqterminate terequiv) stabP’ stabSchP = 

stableNotTerminateEquivS P’ 

bisimwStableToNoTickS (terminate x ) .(terminate _) (eqterminater terequiv) stabP’ stabSchd 
bisimwStableToNoTickS (node P) (terminate x) PP’ stabP’ stabSchP t = stabP’ _ 
bisimwStableToNoTickS (node P) (node P’) (eqnode PP’) (noint ,, noterP’) noterP ter’ 

= noIntNoTerlmpliesNoTermTraceS P’ (PT P ter’) (bisimTtr PP’ ter’) noint noterl 


mutual 

--@BEGIN@bisimRefusalros 


bisimRefusalrosS : {lu : LUniv}{c : Choice} (P : Process oo {lu } c) 

(P’ : Process oo {lu} c) 

(PP’ : Bisimw {00} P P’) (l : List (Label lu)) 

(X : Label lu —> Bool) 

(fail : failure P’ l true X) 

—* failure P l true X 
bisimRefusalrosS {lu}{c} P P’ PP’ l X 
(stableFail (stableFp Q’ tr’ stab’ drefuse’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos2StablePar Qhat true stabSchQhat stabNoTick ) 
drefusehat)) 

where 

Qcom : Process 00 {lu} c l±l ChoiceSet c 

Qcom = bisimTraceTrPi P P’ PP’ l (inji Q’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPx P P’ PP’ l 

(inji Q’) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) tr’ 


QQ'com : BisimForNextP (bisimTraceTrPi P P’ PP’ l 
(inji Q’) tr’) (inji Q’) 

QQ'com = bisimTraceTrP 3 P P’ PP’ l (inji Q’) tr’ 
Q : Process 00 {lu} c 

Q = lemmayyyiS Qcom Q’ stab’ X drefuse’ QQ’com 


TrP {lu} l (inji Q) P 

lemmayyy 2 S Qcom l P Q’ stab’ X drefuse’ QQ'com trcom 


a 


tr : 
tr = 


-o 
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QQ' : Bisimw Q Q’ 

QQ' = lemmayyy 3 S Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process oo { lu } c 

Qhat = nonDivBecomeStableiS c Q 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 
(stablelmpliesNonDivS Q’ stab’)) 

trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 S c Q 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ' stab’ 
(stablelmpliesNonDivS Q’ stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ’ = bisimPPWithEmptyTrS Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 
(stablelmpliesNonDivS Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 

stabSchQhat = nonDivBecomeStable 3 S c Q 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 
(stablelmpliesNonDivS Q’stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTickS Qhat Q’ QhatQ’ stab’ stabSchQhat 

trhati : TrP {lu} (l ++ []) (inj 3 Qhat) P 

trhat 3 = trPAppendTrw c P Q l [] (inji Qhat) tr trhat 

eql : [l -\— P [] ) = l 

eql = lemEqListS l 

trhat 2 : TrP {lu} l ( inj x Qhat) P 

trhat 2 = subst (X l’ —> TrP {lu} V (inji Qhat) P) eql trhat! 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusalS Q’Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A true drefuse’ 

bisimRefusalrosS {lu}{c} P P’ PP’ l X 


a 


o 




432 


A. 14. bisimilarityProofsWithSchneiderStable.agda 

o-o 


where 


Qcom : 
Qcom 


(divergentFailure (trdiv Q’ trp’ divq ’)) 

= (divergentFailure (trdiv Q tr divp)) 

Process oo { lu } c l±) ChoiceSet c 
bisimTraceTrPi P P’ PP’ l (inji Q’) trp’ 


trcom : TrP {lu} l (bisimTraceTrPi P P’ PP’ l (inji Q’) trp’) P 
trcom = bisimTraceTrP 2 P P’ PP’ l (inji Q’) trp’ 


QQ'com : BisimForNextP 

(bisimTraceTrPi P P’ PP’ l ( inji Q’) trp’) (inji Q’) 
QQ'com = bisimTraceTrP 3 P P’ PP’l (inji Q’) trp’ 

Q : Process oo {lu} c 
Q = lemmaxxxiS Qcom Q’ divq’ QQ’com 


tr : TrP {lu} l (inji Q) P 

tr = lemmaxxx 2 S Qcom l P Q’ divq’ QQ’com trcom 


QQ' : Bisimw Q Q’ 

QQ' = lemmaxxx 3 S Qcom l Q’ divq’ QQ'com 

Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ' 

divp : DivergentProcess oo {lu} c Q 

divp = bisimlmpliesDivergentPreservS c Q’Q Q’Q divq’ 


--(SEND 


--@BEGIN@bisimRefusalrosplus 

mutual 

bisimRefusalros+S : {lu : LUniv}{c : Choice} ( P : Process-)- oo {lu} c) 

(P’: Process-P oo {lu} c) 

(PP’ : Bisimw+ {00} P P’) 

(l: List (Label lu)) 

(X : Label lu — > Bool) 

(fail : failure-P P’ l true X) 


<y 


-o 
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—>■ failure+ P l true X 

bisimRefusalros+S {lu}{c} P P’ PP’ l X 

(stableFail (stableFp Q’ tr’ stab’ drefuse ’)) 

= (stableFail (stableFp Qhat trhat 2 

(stabSchNoTicklfRos 2 StablePar Qhat true stabSchQhat stabNoTick) drefusehat)) 

where 

Qcom : Process oo { lu } c l±l ChoiceSet c 

Qcom = bisimTraceTrP 1 + P P’ PP’ l (inji Q ’) tr’ 

trcom : TrP+ l (bisimTraceTrPi+ P P’ PP’ l (inji Q ’) tr’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) tr’ 

QQ'com : BisimForNextP 

(bisimTraceTrP 1 + P P’ PP’ l (inji Q’) tr’) (inji Q’) 

QQ’com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) tr’ 

Q : Process oo {lu} c 

Q = lemmayyyiS Qcom Q’ stab’ X drefuse’ QQ’com 
tr : TrP+ {lu} l (inji Q) P 

tr = lemmayyy 2 +S Qcom l P Q’ stab’ X drefuse’ QQ'com trcom 
QQ' : Bisimw Q Q’ 

QQ' = lemmayyy 3 S Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process oo {lu} c 

Qhat = nonDivBecomeStableiS c Q 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 

(stablelmpliesNonDivS Q’stab’)) 


trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 S c Q 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 
(stablelmpliesNonDivS Q’stab’)) 

QhatQ’ : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTrS Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 
(stablelmpliesNonDivS Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 


a 
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stabSchQhat = nonDivBecomeStable 3 S c Q 

(bisimStablelmpliesNotDivergentS cQ Q’ QQ’ stab’ 
(stablelmpliesNonDivS Q’ stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTickS Qhat Q’QhatQ’ stab’ stabSchQha 


trhati : TrP+ { lu } (/ ++ []) (inji Qhat) P 

trhati = trPAppendTrw+ c P Q l [] (inji Qhat) tr trhat 

eql : (l H—F [] ) = l 

eql = lemEqListS l 

trhat 2 : TrP+ {lu} l (inji Qhat) P 

trhat 2 = subst (X 1 ’ —> TrP+ {lu} V (inji Qhat) P) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusalS Q’ Qhat stab’ 

(BismwSym Qhat Q’QhatQ') A true drefuse’ 


bisimRefusalros+S {lu}{c} P P’ PP’ l X 

(divergentFailure (trdiv Q’ trp’ divq’)) 

= (divergentFailure (trdiv Q tr divp)) 


where 


Qcom : Process oo {lu} c l±l ChoiceSet c 

Qcom = bisimTraceTrPi+ {lu} P P’ PP’ l (inj x Q’) trp’ 


trcom : TrP+ {lu} l (bisimTraceTrPi+ P P’ PP’ l (inj! Q’) trp’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) trp’ 


QQ'com : BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l (inji Q’) trp’) (inji Q’) 
QQ'com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) trp’ 


Q : Process oo {lu} c 
Q = lemmaxxxiS Qcom Q’ divq’ QQ’com 


a 


tr : TrP+ {lu} l (inji Q) P 


-o 
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tr = lemmaxxx 2 +S Qcom l P Q’ divq’ QQ'com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmaxxx 3 S Qcom l Q’ divq’ QQ’com 

Q’Q : Bisimw Q’ Q 

Q’Q = BismwSym Q Q’ QQ’ 

divp : DivergentProcess oo { lu } c Q 

divp = bisimlmpliesDivergentPreservS c Q’ Q Q'Q divq’ 

--0END 


--@BEGIN@bisimImFdiTwo 

bisimlmFDI 2 S : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c ) 

( P’: Process oo {lu} c) 

(PP’ : Bisimw {00} P P’) 

—> P Cfdi 2 ros P’ 

bisimlmFDI 2 S {lu}{c} P P’ PP’ = bisimRefusalrosS P P’ PP’ 

bisimlmFDI 2 rS : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) 

(P’ : Process 00 {lu} c) 

(PP’ : Bisimw {00} P P’) 

—> P’ Cfdi 2 ros P 

bisimlmFDI 2 rS { lu}{ c} P P’ PP’ = bisimlmFDI 2 S P’ P (BismwSym P P’ PP’) 


--SEND 


bisimlmFDI 2 +S : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c ) 

(P’ : Process+ 00 {lu} c ) 

(PP’: Bisimw+ {00} P P’) 

—> P Cfdi 2 ros+ P’ 

bisimlmFDI 2 +S {lu}{c} P P’ PP’ = bisimRefusalros+S P P’ PP’ 

bisimlmFDI 2 r+S : {lu : LUniv}{c : Choice} (P : Process+ 00 {lu} c) 

(P’ : Process+ 00 {lu} c ) 

(PP’ : Bisimw+ {00} P P’) 

—> P’ Cfdi 2 ros+ P 

bisimlmFDI 2 r+S {lu}{c} P P’ PP’ = bisimlmFDI 2 +S P’ P (BismwSym+ P P’ PP’) 


a 


-o 
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A. 15 bisimlmpliesBisim.agda 


--@PREFIX@bisimImpliesBisim 
module bisimlmpliesBisim where 


open import process 
open import choiceSetU 
open import labelUniv 
open import Size 
open import bisimilarity 


mutual 

--@BEGIN@BismwSymTheo 

BismwSymoo : { z : Siz e}{lu : LUniv} 

{c : Choice} 

(P P’: Processoo oo { lu } c) 

(PP’ : Bisimwoo {z} P P’) 

—> Bisimwoo {*} P’ P 

BismwSym : {i : Size}{/i/ : LUniv}{c : Choice} 
(P P’ : Process oo {lu} c ) 

(PP’ : Bisimw {z} P P’) 

—> Bisimw {z} P’ P 

BismwSym+ : {i : Siz e}{lu : LUniv}{c : Choice} 
(P P’ : Process+ oo {lu} c ) 

(PP’ : Bisimw+ {z} P P’) 

—> Bisimw+ {z} P’ P 

--(SEND 


--@BEGIN@BismwSyminf 


o 


-o 
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forceB (BismwSymoo P P’ PP’) = BismwSym (forcep P) 

(forcep P’) (forceB PP’) 


--(SEND 


--(SBEGIN(SBismwSym 

BismwSym (terminate x ) (terminate . x ) (eqterminate termeqterm) = 
eqterminate termeqterm 

BismwSym (terminate x) (terminate .x) (eqterminater termeqterm) = 
eqterminater termeqterm 

BismwSym (terminate x) (node P’) (eqterminate (termeqnode terequivP )) = 
eqterminater (termeqnode terequivP) 

BismwSym (node P) (terminate x) (eqterminater (termeqnode terequivP)) = 
eqterminate (termeqnode terequivP) 

BismwSym (node P) (node P’) (eqnode PP’) = eqnode (BismwSym+ P P’ PP’) 


--(SEND 


--@BEGIN@BismwSymplus 

bisimdiv (BismwSym+ P P’ PP’) = bisimdivr PP’ 

nondiv-|- (BismwSym+ P P’ PP’) = nondiv+r PP’ 

bisimEP’ (BismwSym+ P P’ PP’) = bisimEP’r PP’ 

bisimEtr (BismwSym+ P P’ PP’) = bisimEtrr PP’ 

bisimEnext (BismwSym+ P P’ PP’) e = 

BismwSymoo (bisimEP’r PP’ e) (PE P’ e) (bisimEnextr PP’ e) 
bisimlP’ (BismwSym+ P P’ PP’) = bisimIP’r PP’ 

bisimltr (BismwSym+ P P’ PP’) = bisimltrr PP’ 

bisimlnext (BismwSym+ P P’ PP’) e = 

BismwSymoo (bisimIP’r PP’ e) (PI P’ e) (bisimlnextr PP’ e) 
bisimTtr (BismwSym+ P P’ PP’) = bisimTtrr PP’ 
bisimdivr (BismwSym+ P P’ PP’) = bisimdiv PP’ 
nondiv+r (BismwSym+ P P’ PP’) = nondiv+ PP’ 
bisimEP’r (BismwSym+ P P’ PP’) = bisimEP’ PP’ 
bisimEtrr (BismwSym+ P P’ PP’) = bisimEtr PP’ 
bisimEnextr (BismwSym+ P P’ PP’) e = 

BismwSymoo (PE P e) (bisimEP’ PP’ e) (bisimEnext PP’ e) 
bisimIP’r (BismwSym+ P P’ PP’) = bisimlP’ PP’ 
bisimltrr (BismwSym+ P P’ PP’) = bisimltr PP’ 


a 
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bisimlnextr (BismwSym+ P P’ PP’) e = 

BismwSymoo (PI P e) ( bisimIP’ PP’ e ) (bisimlnext PP’ e) 
bisimTtrr (BismwSym+ P P’ PP’) = bisimTtr PP’ 


--(SEND 


A. 16 bisimlmpliesFDI.agda 


--@PREFIX@bisimImpliesFDImain 
module bisimlmpliesFDI where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


import 

process 

import 

choiceSetU 

import 

Size 

import 

Data.List.Base 

import 

Data.Maybe 

import 

Data.Sum 

import 

TraceWith Next Process 

import 

bisimilarity 

import 

bisimlmpliesBisim 

import 

labelUniv 

import 

fdi 

import 

fdi Refusal 

import 

bisim ForNext Process 

import 

auxData 

import 

bisimlmpliesTraceEquiv 

import 

bisimilarityProofs 

import 

RefWithoutSize 

import 

TraceWithoutSize 

import 

bisimSImpliesBisimw 

import 

fdi 

import 

Data. Empty 

import 

Data.Bool.Base 

import 

Data.Unit 


--@BEGIN@bisimImTrD 


bisimlmTrD : {lu : LUniv} {c : Choice} (P : Process oo { lu } c) 


o 


-o 





439 


A. Agda Code 

o-o 


(P’ : Process oo {lu} c) 

(PP’: Bisimw {00} P P’) ( l : List (Label lu)) 

( TrD : TraceDivergent 00 c l P’) 

—> TraceDivergent 00 c l P 

bisimlmTrD {£u}{c} P P’ PP’ l (trdiv Q’ trp’ divp’) = trdiv Q tr divp 
where 

Qcom : Process 00 {lu} c l±J ChoiceSet c 

Qcom = bisimTraceTrPi P P’ PP’ l (inji Q’) trp’ 

trcom : TrP l (bisimTraceTrPi P P’ PP’ l 

(inji Q’) trp’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (inji <30 trp’ 

QQ'com : BisimForNextP (bisimTraceTrPi P P’ PP’l 

(inji Q’) trp’) (inji <30 

QQ’com = bisimTraceTrP 3 P P’ PP’ l (inji <30 trp’ 

Q : Process 00 {lu} c 
Q = lemmaxxxi Qcom Q’ divp’ QQ’com 

tr : TrP l (inji Q) P 

tr = lemmaxxx 2 Qcom l P Q’ divp’ QQ'com trcom 
QQ' : Bisimw Q Q’ 

QQ' = lemmaxxx 3 Qcom l Q’ divp’ QQ'com 

Q’Q : Bisimw Q’ Q 

Q’Q = BismwSym Q < 3 ’QQ’ 

divp : DivergentProcess 00 c Q 

divp = bisimlmpliesDivergentPreserv c Q’ Q Q'Q divp’ 

--OEND 

mutual 

infTrNotTerEquiv+ : {i : Size}{/ii : LUniv}{c : Choice}(P : Process+ 00 {lu} c) 

( l: Stream {00} (Label lu)) 

(tr : infTr+ {z} l P ) 

(x : ChoiceSet c) 

( terequivP : TerminateEquivalent+ x P) 


a 


o 
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-> ± 

infTrNotTerEquiv+ {z} P l (extc .1 x x\ a^) x 3 terequivP = _L-elim (noExtChoice terequivP x) 
infTrl\lotTerEquiv+ {z} P l (intc .1 x tr) x’ terequivP = 

infTrNotTerEquivoo {z} (PI P x) l tr x’ (onlylntChoice terequivP 

infTrNotTerEquivoo : {z : Size}{/zz : LUniv}{c : Choice}(P : Processoo oo { lu } c) 

(l : Stream {oo} (Label lu)) 

(tr : infTr {z} l (forcep P {oo})) 

(x : ChoiceSet c) 

(terequivP : TerminateEquivalentoo x P) 

-> ± 

infTrNotTerEquivoo {z} P l tr x terequivP = infTrNotTerEquiv {z} (forcep P) l tr x terequivl 


infTrNotTerEquiv : {z : Size}{/zz : LUniv}{c : Choice}(F : Process oo {lu} c) 

(l : Stream {oo} (Label lu)) 

(tr : infTr {z} l P) 

(x : ChoiceSet c) 

(terequivP : TerminateEquivalent x P) 

->• ± 

infTrNotTerEquiv (terminate x) l () .x termeqterm 
infTrNotTerEquiv {z} (node P) l (tnode tr) x (termeqnode terequivP) 

= infTrNotTerEquiv+ {z} P l tr x terequivP 


mutual 

bisimlmTrD+ : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c) (P’ : Process+ oo {lu} c) 
( PP ’: Bisimw+ {oo} P P’) 

(l: List (Label lu))(TrD : TraceDivergent+ oo c l P’) 

—> TraceDivergent+ oo c l P 

bisimlmTrD+ {lu}{c} P P’ PP’ l (trdiv Q’ trp’ divp’) = trdiv Q tr divp 
where 

Qcom : Process oo {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPiT P P’ PP’ l (in^ Q’) trp’ 

trcom : TrP+ l (bisimTraceTrPi+ P P’ PP’ l (inji Q’) trp’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) trp’ 

QQ’com : BisimForNextP (bisimTraceTrPx+ P P’ PP’ l ( injx Q’) trp’) (injx Q’) 

QQ’com = bisimTraceTrP 3 + P P’ PP’ l (injx Q’) trp’ 


o 


-o 




441 


A. Agda Code 

o-o 


Q : Process oo {lu} c 
Q = lemmaxxxx Qcom Q’ divp’ QQ'com 

tr : TrP+ l (inji Q) P 

tr = lemmaxxx 2 + Qcom l P Q’ divp’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmaxxx 3 Qcom l Q’ divp’ QQ’com 

Q'Q : Bisimw Q’ Q 

Q'Q = BismwSym Q Q’ QQ' 

divp : DivergentProcess oo c Q 

divp = bisimlmpliesDivergentPreserv c Q’Q Q'Q divp’ 


--@BEGIN@bisimImFDIOneplus 

bisimlmFDIx : {lu : LUniv}{c : Choice} (P P’ : Process+ oo {lu} c ) 

(. PP ’: Bisimw+ {00} P P ’) 

-)• P cfdii+ P’ 

bisimlmFDIi {lu}{c} P P’ PP’ = bisimlmTrD+ P P’ PP’ 

bisimlmFDbr : {lu : LUniv}{c : Choice} (P P’ : Process+ 00 {lu} c ) 

(PP’ : Bisimw+ {00} P P’) 

-)• P’Q fdix+ P 

bisimlmFDIir {lu}{c} P P’ PP’ = bisimlmFDIi P’ P (BismwSym+ P P’ PP’) 


--SEND 


A. 17 bisimlmpliesFDIPartTwo.agda 


--@PREFIX@bisimImpliesFDIPartTwo 
module bisimlmpliesFDIPartTwo where 

open import process 
open import choiceSetU 
open import Size 
open import Data.List.Base 


a 


-o 




442 


A. 17. bisimlmpliesFDIPartTwo.agda 

o-o 


open import Data.Maybe 

open import Data.Sum 

open import TraceWithNextProcess 

open import bisimilarity 

open import bisimlmpliesBisim 

open import labelllniv 

open import fdi 

open import fdiRefusal 

open import bisimForNextProcess 

open import auxData 

open import bisimlmpliesTraceEquiv 

open import bisimilarityProofs 

open import RefWithoutSize 

open import TraceWithoutSize 

open import bisimSImpliesBisimw 

open import fdi 

open import Data.Empty 

open import Data.Bool.Base renaming (T to T') 
open import Data.Unit 
open import bisimlmpliesFDI 
open import labelUniv 

open import Relation.Binary.PropositionalEquality 
mutual 

--@BEGIN@addtauTraceToInfiniteTrace 

addirTraceToInfiniteTrace : {i : Size}{fu : LUniv}{c : Choice} 

(P : Process oo {lu } c) 

(Q : Process oo {lu} c ) 

(l: Stream (Label lu)) 

{tr y : TrP [] (inji Q) P) 

( tr 2 : infTr {z} l Q) 

—> infTr {z} l P 

addxTraceToInfiniteTrace .(terminate x) .(terminate x) l (empty x) tr 2 = tr 2 

addxTraceToInfiniteTrace .(node P) Q l (tnode {.[]} {_} {P} fry) tr 2 = 
tnode (addi:TraceTolnfiniteTrace+ P Q l fry tr 2 ) 

addTTraceTolnfiniteTrace+ : {i : Size}{fu : LUniv}{c : Choice} 

(P : Process+ oo {lu} c) 

(Q : Process oo {lu} c) 

( l : Stream (Label lu)) 


o 


-o 
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(tr i : TrP + [] (inji Q) P) 

(tr 2 : infTr {z} l Q) 

—> infTr+ {z} l P 

addxTraceTolnfiniteTrace+ P .(node P) l empty (tnode tr) = tr 

addxTraceTolnfiniteTrace+ P Q l (into .[] .(inji Q) x tr\) tr 2 = 
into l x (addxTraceToInfiniteTrace (forcep (PI P x)) 

Q l tr\ tr 2 ) 

addxTraceToInfiniteTraceoo : {z : Size}{/zz : LUniv}{c : Choice} 

(P : Processoo oo { lu } c) 

( Q : Process oo {lu} c ) 

(l : Stream (Label lu)) 

(tr\ : TrPoo [] (inji Q) P) 

(tr 2 : infTr {z} l Q) 

—>• infTroo {} z} l P 

forcetP (addxTraceToInfiniteTraceoo P Q l tr\ tr 2 ) = 
addxTraceToInfiniteTrace (forcep P) Q l tr\ tr 2 


--SEND 


addxTraceToInfiniteTraceoooo : {z : Size}{/?z : LUniv}{c : Choice} 

(P : Processoo oo {lu} c) 

(Q : Processoo oo {lu} c) 

(l : Stream (Label lu)) 

(tri : TrPoo [] (inji (forcep Q)) P) 

( tr 2 : infTroo {z} l Q) 

—> infTroo {z} l P 

forcetP (addxTraceToInfiniteTraceoooo P Q l tr\ tr 2 ) {j} = 

addxTraceToInfiniteTrace (forcep P) (forcep Q) l tr\ (forcetP tr 2 ) 


mutual 


bisimlnfTr : {z : Size} 

{lu : LUniv}{c : Choice}(P P ’: Process oo {lu} c) 
(PP’ : Bisimw {00} P P’) 

( l : Stream (Label lu)) 

(tr : infTr {z} l P’) 

—> infTr {z} l P 


a 
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bisimlnflr {z} { lu } {c} (terminate x ) .(node P ) (eqterminate terequiv) 

l (tnode {./} {P} tr ) = 

_L-elim (infTrNotTerEquiv (node P) l (tnode {z} tr) x terequiv) 
bisimlnflr {z} {lu} {c} (node P) .(node P’) (eqnode PP’) l (tnode {./} 
{P’} tr) = 

tnode (bisimlnfTr+ P P’ PP’ l tr) 

--@BEGIN@bisimInfTrPlus 

bisimlnfTr+ : {z : Size}{/?/ : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 
(PP’ : Bisimw+ {oo} P P’) 

(l : Stream (Label lu)) 

(tr : infTr+ {z} l P’) 

—y infTr+ {z} l P 

bisimlnfTr+ {z} {lu} {c} P P’ PP’ l (extc .1 e eq tr) = 

bisimlnfTr+auxoo P Q Q’ l (Lab P’ e) eq tri QQ’ tr 

where 

Q : Processoo oo c 
Q = bisimEP’r PP’ e 

Q' : Processoo oo c 
Q’ = PE P’ e 

tr l : TrP+ (Lab P’ e :: []) (inji (forcep Q)) P 
tr x = bisimEtrr PP’ e 

eqlab : T’ (Lab P’ e ==l head T) 

eqlab = sym==l {lu} {head 1 } {Lab P’ e} eq 

tr x ’ : TrP+ (head l :: []) (inj x (forcep Q)) P 
tr x ’ = transfLu {lu} (X lab\ — > TrP+ (lab± :: []) (inji 
(forcep Q)) P) eqlab tr x 

QQ' : Bisimwoo Q Q' 

QQ' = bisimEnextr PP’ e 


--@END 


bisimlnfTr+ {z} {lu} {c } P P’ PP’ l (intc .1 int tr) = 

bisimTlnffr+aux P (forcep Q) (forcep Q’) tr x (forceB QQ’) l tr 

where 


a 
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Q : Processoo oo c 
Q = bisimIP’r PP’ int 

Q' : Processcx) oo c 
Q’ = PI P’ int 


tri : TrP+ [] (inji (forcep Q)) P 
tri = bisimltrr PP’ int 

QQ' : Bisimwoo Q Q' 

QQ' = bisimlnextr PP’ int 


bisimlnfTr+auxoop : {i : Size}{/?z : LUniv}{c : Choice}(P : Process oo { lu } c) 
(Q : Processoo oo c) 

{Q’: Processoo oo c) 

(l: Stream (Label lu)) 

( la : Label lu) 

( eqlab : T’ (head l ==l la)) 

{tr i : TrP {la :: []) (inji (forcep Q)) P) 

{QQ’ : Bisimwoo Q Q’) 

{tr 2 : infTroo {«} (tail l) Q’) 

—y infTr {z} l P 

bisimlnfTr+auxoop .(node P ) Q Q’ l la eqlab (tnode {P = P } tr^) QQ’ tr 2 
= tnode (bisimlnfTr+auxoo P Q Q’ l la eqlab tr\ QQ’ tr 2 ) 


--@BEGIN@bisimInfTrAuxInfty 

bisimlnfTr+auxoo : {i : Size}{/?z : LUniv}{c : Choice} 

{P : Process+ oo {lu} c) 

{Q : Processoo oo c) 

{Q’ : Processoo oo c) 

{l : Stream (Label lu)) 

{la : Label lu) 

{eqlab : T' (head l ==l la)) 

(tr i : TrP+ {la :: []) (inji (forcep Q)) P) 
{QQ’ : Bisimwoo Q Q’) 

{tr 2 : infTroo {z} (tail l) Q’) 

—> infTr+ {z} l P 


a 
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bisimlnfTr+auxoo P Q Q’ l .(Lab P x) eqlab 

(extc .[] .(inji (forcep Q)) x tr\) 

QQ ’ tr 2 

= extc l x eqlab 

(addTTraceToInfiniteTraceoooo (PE P x) Q (tail l) tr\ 
(bisimlnfTroo Q Q’ QQ’ (tail l) tr 2 )) 

bisimlnfTr+auxoo P Q Q’ l la eqlab 

(intc .(la :: []) .(inji (forcep Q)) x tr\) QQ’ tr 2 = 
intc l x 

(bisimlnfTr+auxoop (forcep (PI P x)) Q Q’ l la eqlab tr\ 
QQ’ tr 2 ) 

--(SEND 


--(SBEGIN(SbisimTauInfTrplusAux 

bisimxInfTr+aux : {i : Size}{/?/ : LUniv}{c : Choice}(P : Process+ oo { lu } c) 
(Q : Process oo c) 

(Q’ : Process oo c) 

(+i : TrP+ [] (inji Q) P) 

(QQ’ : Bisimw Q Q’) 

(l : Stream (Label lu)) 

(tr 2 : infTr {*} l Q’) 

—)■ infTr+ {z} l P 

bisimxInfTr+aux P .(node P) .(node P’) 
empty (eqnode PP’) l (tnode {./} {P’} tr) = bisimlnfTr+ P P’ PP’ l tr 

bisinruInfTr+aux P Q Q’ (intc .[] .(inji Q) % t r i) QQ’ l ^2 = 
intc l x (addxTraceToInfiniteTrace (forcep (PI P x)) Q l tr] 

(bisimlnfTr Q Q’ QQ’ l tr 2 )) 


--(SEND 


-- this is the place where when we have external choice reflected from 
-- the trace from P’ to P we go down by in the trace starting from P 
-- down in size as indicated by the forcetP 

bisimlnfTroo : {i : Size}{/w : LUniv}{c : Choice}(P P’: Processoo oo {lu} c) 

(PP’: Bisimwoo {oo} P P’) 

(l : Stream (Label lu)) 

(tr : infTroo {«} l P’) 


a 
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—> infTroo {*} l P 

forcetP (bisimlnfTroo P P’ PP’ l tr ) {j} = 

bisimlnfTr (forcep P) (forcep P’) (forceB PP’) l (forcetP tr) 


bisimlnfTroo’ : {i : Size}{fu : LUniv}{c : Choice}(P P ’: Processoo oo { lu } c) 
(PP’ : Bisimwoo {00} P P’) 

( l: Stream (Label lu)) 

(tr : infTroo’ {*} l P’) 

—» infTroo' {«} l P 

bisimlnfTroo' P P’ PP’ l tr = bisimlnfTr (forcep P) (forcep P’) (forceB PP’) l tr 


bisimlmFDI 3 : {lu : LUniv}{c : Choice}(P P’ : Process 00 {lu} c) 
(PP’ : Bisimw {00} P P’) 

-► P Cfdi 3 P’ 

bisimlmFDI 3 = bisimlnfTr {00} 

bisimlmFDI 3 + : {lu : LUniv}{c : Choice}(F P’ : Process+ 00 {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

P Cfdi 3 + P’ 

bisimlmFDI 3 + = bisimlnfTr+ {00} 

bisimlmFDI 3 oo : {lu : LUniv}{c : Choice}(P P’ : Processoo 00 {lu} c) 
(PP’ : Bisimwoo {00} P P’) 

—y P Cfdi 3 oo P’ 

bisimlmFDI 3 oo = bisimlnfTroo {00} 


mutual 


bisimFDI : {lu : LUniv}{c : Choice}(F P’ : Process 00 {lu} c) 
(PP’ : Bisimw {00} P P’) P Cfdi P’ 

bisimFDI (terminate x) (terminate .x) (eqterminate termeqterm) 
= (( (X l m tr — >• tr) „ (X l x\ — > xi)) „ 

(X l X x 1 — > xi)) ,, (X l x —> x) 

bisimFDI (terminate x) (terminate .x) (eqterminater termeqterm) 
= (( (X l m tr —>• tr) „ (X l x\ —>■ xi)) „ 
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(X l X x\ —> zi)) „ (X l x —* x) 

bisimFDI (terminate x) (node P’) (eqterminate (termeqnode terequivP)) 

= (( (bisimTraceEq (terminate x) (node P’) 

(eqterminate (termeqnode terequivP ))) ,, 

(bisimlmTrD (terminate x) (node P’) 

(eqterminate (termeqnode terequivP)))) ,, 
(bisimlmFDI 2 (terminate x) (node P’) 

(eqterminate (termeqnode terequivP)))) ,, 

(X l —y X {(tnode tr) —> 

_L-elim (infTrl\lotTerEquiv+ P’ l tr x terequivP )}) 
bisimFDI (node P) (terminate x) (eqterminater (termeqnode terequivP)) 

= (( (bisimTraceEq (node P) (terminate x) 

(eqterminater (termeqnode terequivP))) ,, 
(bisimlmTrD (node P) (terminate x) 

(eqterminater (termeqnode terequivP)))) 
(bisimlmFDI 2 (node P) (terminate x) 

(eqterminater (termeqnode terequivP)))) 

(X Z ^ X {()}) 

bisimFDI (node P) (node P’) (eqnode bisimQQ’) 

= (((bisimTraceEq (node P) (node P’)(eqnode bisimQQ’)) ,, 
(bisimlmTrD (node P) (node P’)(eqnode bisimQQ’))) ,, 
(bisimlmFDI 2 (node P) (node P’)(eqnode bisimQQ’)) ) ,, 
(bisimlmFDI 3 (node P) (node P’) (eqnode bisimQQ’)) 


mutual 

bisimFDIr : {lu : LUniv}{c : Choice}(P P ’: Process oo {lu} c) 

(PP ’: Bisimw {oo} P P’) -)• P’ Cfdi P 
bisimFDIr (terminate x) (terminate .x) (eqterminate termeqterm) = 
mi m tr —>■ tr) ,, (X l x\ —> Xi)) ,, (X / X x\ —> a;i)) ,, 
(X^X{()» 

bisimFDIr (terminate x) (terminate .x) (eqterminater termeqterm) = 

mi m tr —>• tr) ,, (X l x\ —> x\ )) - (X l X x i —> £i)) ,, 

(X^X{()» 

bisimFDIr (terminate x) (node P’) (eqterminate terequiv) = 

(((bisimTraceEq (node P’) (terminate x) (eqterminater terequiv)) ,, 
(bisimlmTrD (node P’) (terminate x) (eqterminater terequiv))) ,, 
(bisimlmFDb (node P’) (terminate x) (eqterminater terequiv))) ,, 

(X l -+ X {()}) 

bisimFDIr (node P) (terminate x) (eqterminater (termeqnode terequivP)) = 
(((bisimTraceEq (terminate x) (node P) 
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(eqterminate (termeqnode terequivP ))) ,, 

(bisimlmTrD (terminate x ) (node P) 

(eqterminate (termeqnode terequivP)))) „ 

(bisimlmFDI 2 (terminate x) (node P) 

(eqterminate (termeqnode terequivP)))) „ 

(X l —y X {(tnode tr) — > 

_L-elim (infTrNotTerEquiv-P P l tr x terequivP )} ) 
bisimFDIr (node P) (node P’) (eqnode bisimQQ’) = 

(((bisimTraceEq (node P’) (node P) (BismwSym (node P) (node P’) 

(eqnode bisimQQ’))) ,, 

(bisimlmTrD (node P’) (node P) (BismwSym (node P) (node P’) 
(eqnode bisimQQ’)))) „ 

(bisimlmFDI 2 (node P’) (node P) (BismwSym (node P) (node P’) 
(eqnode bisimQQ’)))) „ 

(bisimlmFDI 3 (node P’) (node P) (BismwSym (node P) (node P’) 
(eqnode bisimQQ’))) 


bisimFDIImpEq : {lu : LUniv}{c : Choice}(F P’ : Process oo { lu } c) ( PP’: Bisimw {00} P’ P) 
-► P’ =fdi P 


bisimFDIImpEq P P’ PP’ = (bisimFDI P’ P PP’) „ (bisimFDIr P’ P PP’) 


--OBEGINObisimFdiRef 

bisimlmFdiRef : {lu : LUniv}{c : Choice} (P P’ : Process+ 00 {lu} c) 
(PP’ : Bisimw+ {00} P P’) 

P Cfdi+ P’ 

bisimlmFdiRef P P’ PP’ = ((bisimTraceEq+ P P’ PP ’ ,, 

bisimlmFDIi P P’ PP’) „ 
bisimlmFDI 2 + PP’ PP’) „ 
bisimlmFDI 3 + P P’ PP’ 


--(SEND 


--@BEGIN@bisimFdiRefTheo 


a 
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bisimlmFdiEquiv : 

{lu : LUniv}{c : Choice} 

(P P’: Process-F 00 {lu} c ) 

(PP’ : Bisimw-P { 00 } P P’) 

->■ P =fdi+ P’ 

--(SEND 



--(SBEGINGbisimFdiRefTheoProof 
bisimlmFdiEquiv P P’ PP’ = bisimlmFdiRef P P’ PP’ 


--(SEND 

bisimlmFdiRef P’ P (BismwSym-F P P’ PP’) 


--(SBEGINGbisimsFdiRef 

bisimsImFdiRef : {lu : LUniv}{c : Choice} (P P’ : Process+ oo { lu } c) 

(. PP ’: Bisims-P { 00 } P P’) 

-)• P Cfdi+ P’ 

bisimsImFdiRef P P’ PP ’ = bisimlmFdiRef P P’ (bisimsToBismw-p P P’ PP’) 


bisimsImFdiEquiv : 

{lu : LUniv}{c : Choice} (P P’ : Process-F 00 {lu} c) 

(PP’ : Bisims-F { 00 } P P’) 

P =fdi+ P’ 


bisimsImFdiEquiv P P’ PP’ = bisimlmFdiEquiv P P’ 


--(SEND 

(bisimsToBismw-F P P’ PP’) 


A. 18 bisimlmpliesRefinementlnfiniteTraces.agda 

--@PREFIX@bisimImpliesRefinementlnfiniteTraces 
module bisimlmpliesRefinementlnfiniteTraces where 
open import process 


o 
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open import choiceSetU 

open import Size 

open import Data.List.Base 

open import Data.Maybe 

open import Data.Sum 

open import TraceWithNextProcess 

open import bisimilarity 

open import bisimlmpliesBisim 

open import labelUniv 

open import fdi 

open import fdiRefusal 

open import bisimForNextProcess 

open import auxData 

open import bisimlmpliesTraceEquiv 

open import bisimilarityProofs 

open import RefWithoutSize 

open import TraceWithoutSize 

open import bisimSImpliesBisimw 

open import bisimlmpliesFDI 


A. 19 bisimlmpliesTraceEquiv. agda 


--@PREFIX@bisimImpliesTrace 
module bisimlmpliesTraceEquiv where 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


mport process 
mport choiceSetU 
mport Size 

mport Data.List.Base 
mport Data.Maybe 
mport Data.Sum 
mport TraceWithNextProcess 
mport TraceWithoutSize 
mport RefWithoutSize 
mport bisimilarity 
mport bisimlmpliesBisim 
mport tracelmpliesTraceP 
mport bisimSImpliesBisimw 
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open import labelUniv 
open import traceEquivalence 
open import Data.Product 
open import bisimSImpliesBisimw 

mutual 

--@BEGIN@bisimTraceTheo 


bisimTraceEqoo 

: {lu : LUniv}{c : Choice} 

(P P’ : Processoo oo {lu} c ) 

(PP’ : Bisimwoo {00} P P’) 

P Coo P’ 

bisimTraceEq 

: {lu : LUniv}{c : Choice} 

(P P’ : Process 00 c) 

(PP’: Bisimw {00} P P’) 

-> P\ZP’ 

bisimTraceEq+ 

: {lu : LUniv}{c : Choice} 

(P P’ : Process+ 00 c) 

(PP’: Bisimw+ {00} P P’) 

—)■ P C+ P’ 

--SEND 



--@BEGIN@bisimTraceinf 

bisimTraceEqoo P P’ PP’ l m tr = bisimTraceEq (forcep P) 


--(SEND 

(forcep P’) (forceB PP’ {00}) l m tr 


--@BEGIN@bisimTrace 

bisimTraceEq .(terminate x) .(terminate x ) (eqterminate termeqterm) 
.[] .(just x) (ter x) = ter x 

bisimTraceEq P .(terminate x) (eqterminater terequivP ) 

.[] .(just x) (ter x) = 


bisimTraceEq 

termEquivalentlmpliesTrace P terequivP 
.(terminate x) .(terminate x) (eqterminate termeqterm) 


o 
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.[] .nothing (empty x ) = empty x 
bisimTraceEq P .(terminate x) (eqterminater terequivP) 

.[] .nothing (empty x) = 
termEquivalentlmpliesTraceEmpty P terequivP 
bisimTraceEq .(terminate a) .(node P) (eqterminate {a} terEquivP ) 

.1 .x (tnode {/} {x} {P} tr ) = 
termEquivalentTracelsTerTrace+ P l terEquivP tr 
bisimTraceEq .(node Q ) .(node Q’) (eqnode { Q } {Q’} QQ’) ■[] .nothing 
(tnode {.[]} {.nothing} {.Q’} empty) = tnode empty 
bisimTraceEq { lu}{c } .(node P) .(node P’) (eqnode {P} {P’} PP’) 

.(Lab P’ x :: l) .me (tnode (extc l me x tr 2 ’)) = tnode tr 

where 

Q' : Processoo oo { lu} c 
Q’ = PE PA 


Q : Processoo oo {lu} c 
Q = bisimEP’r PP’ x 

QQ’ : Bisimwoo Q Q’ 

QQ' = bisimEnextr PP’ x 

tri : P —)>+*[ Lab P’ x :: [] ] (forcep Q) 
tr! = bisimEtrr PP’ x 

tr 2 " : Troo {lu} {c} l me Q’ 
tr 2 " = tr 2 ’ 

tr 2 : Troo {lu} {c} l me Q 

tr 2 = bisimTraceEqoo {lu} {c} Q Q’ QQ’ l me tr 2 ” 

tr : Tr+ {lu} {c} (Lab P’ x :: l) me P 

tr = traceAppendTrw+ c P (forcep Q) (Lab P’ x :: []) 

l me tri tr 2 


bisimTraceEq {lu} {c} .(node P) .(node P’) (eqnode {P} {P’} PP’) 
l me (tnode (intc .1 .me x tr 2 ’)) = tnode tr 

where 

Q’ : Processoo oo {lu} c 
Q’ = PI P’x 
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Q : Processoo oo {lu} c 
Q = bisimIP’r PP’ x 

QQ' : Bisimwcx) Q Q' 

QQ’ = bisimlnextr PP’ x 

tri : P -)•+*[ [] ] (forcep Q) 
tiq = bisimltrr PP’ x 

tr2 : Troo {lu} {c} l me Q 

tr 2 = bisimTraceEqoo {lu}{c} Q Q’ QQ’ l me tr 2 ’ 

tr : Tr+ {lu}{c} ([] ++ 1 ) me P 

tr = traceAppendTrw+ c P (forcep Q) [] l me tr! tr 2 

bisimTraceEq { lu}{c } .(node P) .(node P’) (eqnode {F} {P’} PP’) 
.[] .(just (PT P’ x)) (tnode {.[]} {.(just (PT P’ x))} 
{.P’} (terc x)) = 

tnode (trPtoTr+ [] (inj 2 (PT P’ x)) Ftri) 

where 

tri : TrP+ [] (inj 2 (PT P’x)) P 
tri = bisimTtrr PP’ x 

--SEND 


--@BEGIN@bisimTracePlus 
bisimTraceEq+ P P’ PP ’ .[] .nothing empty = empty 

bisimTraceEq+ {^}{c} P P’ PP’ .(Lab P’ x :: 4 ) m (extc 4 .m x tr 2 ’) = tr 
where 

Q' : Processoo oo {lu} c 
Q' = PE P’x 


Q : Processoo oo {lu} c 
Q = bisimEP’r PP’ x 


o 


QQ’ : Bisimwoo Q Q’ 

QQ' = bisimEnextr PP’ x 


-o 
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tri : P —)•+*[ Lab P’ x :: [] ] (forcep Q) 
tri = bisimEtrr PP’ x 

tr 2 ” : Troo {4/}{c} 4 m Q’ 
tr 2 ” = tr 2 ’ 

tr 2 : Troo { 4 /}{c} 4 m Q 

tr 2 = bisimTraceEqoo {lu}{c} Q Q’ QQ’ 4 m tr 2 ” 

tr : Tr+ {lu}{c} (Lab P’ x :: 4 ) fn P 
tr = traceAppendTrw+ c P (forcep Q) 

(Lab P’ x :: []) 4 ra tri tr 2 

bisimTraceEq+ P P’ PP’ l m (intc .1 .m x tr 2 ’) = tr 

where 

Q’ : Processoo oo { lu } c 
Q’ = PI P’x 


Q : Processoo oo {lu} c 
Q = bisimIP’r PP’ x 

QQ' : Bisimwoo Q Q' 

QQ’ = bisimlnextr PP’ x 

tri : P ->•+*[ [] ] (forcep Q) 
tri = bisimltrr PP’ x 

tr 2 : Troo l m Q 

tr 2 = bisimTraceEqoo Q Q’ QQ’ l m tr 2 ’ 

tr : Tr+ {lu}{c} ([] ++ l) m P 

tr = traceAppendTrw+ c P (forcep Q) [] l m tri tr 2 

bisimTraceEq+ P P’ PP’ .[] .(just (PT P’t)) (terc t) = 

trPtoTr+ [] (inj 2 (PT P’t)) P tri 

where 

tri : TrP+ [] (inj 2 (PT P’t)) P 
tri = bisimTtrr PP’t 


--(SEND 


a 
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mutual 

--@BEGIN@SbisimTracinf 

SbisimTraceEqoo : {lu : LUniv}{c : Choice}(F P ’: Processoo oo { lu } c) 
( PP ’: Bisimsoo {oo} P P’) —> P Coo P’ 

SbisimTraceEqoo {lu}{c} P P’ PP’ l m tr = SbisimTraceEq 
(forcep P ) (forcep P’) (forceB PP’) l m tr 


--SEND 


--@BEGIN@SbisimTrac 


SbisimTraceEq : 

SbisimTraceEq 

SbisimTraceEq 

SbisimTraceEq 

SbisimTraceEq 


{lu : LUniv}{c : Choice}(F P’ : Process oo c) 

(. PP ’: Bisims {oo} P P’) ->• P □ P’ 

.(terminate x) .(terminate x) eqterminate 

.[] .(just x) (ter x) = ter x 

.(terminate x) .(terminate x) eqterminate 

.[] .nothing (empty x) = empty x 

.(node P) .(node P’) (eqnode {F} {P’} PP’) 

.[] .nothing (tnode empty) = tnode empty 
{ lu}{c } .(node P) .(node P’) (eqnode {F} {P’} PP’) 
.(Lab P’ x :: 1 ) me (tnode (extc l .me x tr 2 ’)) = tnode tr 


where 

Q’ : Processoo oo {lu} c 
Q’ = PE FA 


Q : Processoo oo {lu} c 

Q = bisimEP’r (bisimsToBismw+ F P’ PP’) x 
QQ’ : Bisimwoo Q Q’ 

QQ’ = bisimEnextr (bisimsToBismw+ F P’ PP’) x 


o 


tr 1 : F — >+*[ Lab P’ x :: [] ] (forcep Q) 

tr x = bisimEtrr (bisimsToBismw+ F P’ PP’) x 


-o 
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o-o 


tr 2 ” : Troo {lu}{c} l me Q’ 
tr 2 ” = tr 2 ’ 

tr 2 : Troo { lu}{c } l me Q 

tr 2 = bisimTraceEqoo { lu}{c } Q Q’ QQ’ l me tr 2 ” 
tr : Tr+ {/n}{c} (Lab P’ x :: l) me P 

tr = traceAppendTrw+ c P (forcep Q) (Lab P’ x :: []) l me tn tr 2 

SbisimTraceEq { lu}{c } .(node P) .(node P’) (eqnode {P} {P’} PP’) 
l me (tnode (into .1 .me x tr 2 ’)) = tnode tr 

where 

Q' : Processcxo ex {lu} c 
Q' = PI P’x 


Q : Processx oo {lu} c 
Q = bisimIP’r (bisimsToBismw+ P P’ PP’) x 

QQ’ : Bisimwoo Q Q’ 

QQ' = bisimlnextr (bisimsToBismw+ P P’ PP’) x 

tn : P -)•+*[ D] (forcep Q) 

tr! = bisimltrr (bisimsToBismw+ P P’ PP’) x 

tr 2 " : Trx l me Q' 

tr 2 ” = tr 2 ’ 

tr 2 : Trx {lu}{c} l me Q 

tr 2 = bisimTraceEqoo Q Q’ QQ’ l me tr 2 ” 

tr : Tr+ { lu}{c } ([] ++ l) me P 

tr = traceAppendTrw+ c P (forcep Q) [] l me tri tr 2 

SbisimTraceEq .(node P) .(node P’) (eqnode {P} {P’} PP’) 
.[] .(just (PT P’ x)) (tnode (terc x)) = 
tnode (trPtoTr+ [] (inj 2 (PT P’ x)) Ptri) 

where 

tn : TrP+ [] (inj 2 (PT P’x)) P 

tr! = bisimTtrr (bisimsToBismw+ P P’ PP’) x 

--(SEND 


a 


o 
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A. 19. bisimlmpliesTraceEquiv.agda 

o-o 


{- We proof the reverse directions for the previous statements -} 
--@BEGIN@bisimTraceReverse 

bisimTraceEqoor : {lu : LUniv}{c : Choice}(P P’ : Processoo oo { lu } c) 

( PP’: Bisimwcx) {oo} P P’) — * P’ Coo P 
bisimTraceEqoor P P’ PP’ = bisimTraceEqoo P’ P (BismwSymoo P P’ PP’) 

bisimTraceEq+r : {lu : LUniv}{c : Choice}(P P’ : Process+ oo {lu} c) 

(PP’: Bisimw+ {oo} P P’) —>■ P’ C+ P 
bisimTraceEq+r P P’ PP’ = bisimTraceEq+ P’ P (BismwSym+ P P’ PP’) 

bisimTraceEqr : {lu : LUniv}{c : Choice}(P P’ : Process oo {lu} c) 

(PP’: Bisimw {oo} PF’jdPTP 
bisimTraceEqr P P’ PP’ = bisimTraceEq P’ P (BismwSym P P’ PP’) 


--@END 


{- We prove that weak bisimilarity implies trace equivalence -} 


-@BEGIN@bisimTraceEqTheo 


bisimTraceEqoo= 


{lu : LUniv}{c : Choice} 

(P P ’: Processoo oo {lu} c) 
(PP’: Bisimwoo {oo} P P’) 

-+ F=oo P’ 


bisimTraceEq+= 


{lu : LUniv}{c : Choice} 

(P P ’: Process+ oo {lu} c) 
(PP’ : Bisimw+ {oo} P P’) 

->■ P=+ P’ 


bisimTraceEq= 


{lu : LUniv}{c : Choice} 
(P P ’: Process oo {lu} c) 
(PP’: Bisimw {oo} P P’) 

-+ P = P’ 


-@END 


o 


-o 
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o-o 


--(SBEGIN(SbisimTraceEq 

bisimTraceEqoo= P P’ PP’ = bisimTraceEqoo P P’ PP’ , 

bisimTraceEqoor P P’ PP’ 


bisimTraceEq+= P P’ PP’ = bisimTraceEq+ P P’ PP’ , 

bisimTraceEq+r P P’ PP’ 


bisimTraceEq= P P’ PP’ = bisimTraceEq P P’ PP’ , 

bisimTraceEqr P P’ PP’ 


--(SEND 


{- We prove that strong bisimilarity implies trace equivalence -} 


--(SBEGINGbisimTraceEqsTheo 

bisimTraceEqsoo= : {lu : LUniv}{c : Choice} 

(P P’ : Processcx) oo {lu} c ) 
( PP ’: Bisimsoo { 00 } P P’) 

—>• P =oo P’ 


bisimTraceEqs-|-= : {lu : LUniv}{c : Choice} 

(P P’ : Process- 1 - oo {lu} c) 
(PP’ : Bisims+ { 00 } P P’) 

—>• P =+ P’ 

bisimTraceEqs= : {lu : LUniv}{c : Choice} 

(P P’ : Process 00 {lu} c ) 
(PP’ : Bisims { 00 } P P’) 
P= P’ 


--(SEND 


--(SBEGINQbisimTraceEqs 


a 


-o 




460 


A.20. bisimLemFmap.agda 

o-o 


bisimTraceEqscx)= P P’ PP’ = 

bisimTraceEqoo= P P’ (bisimsToBismwoo P P’ PP’) 

bisimTraceEqs+= P P’ PP’ = 

bisimTraceEq+= P P’ (bisimsToBismw+ P P’ PP’) 

bisimTraceEqs= P P’ PP’ = 

bisimTraceEq= P P’ (bisimsToBismw P P’ PP’) 


--(SEND 


A.20 bisimLemFmap.agda 


module bisimLemFmap where 


process 

choiceSetll 

label 

Size 

Relation. Binary. Propositional Equality 

Data.Unit.Base 

Data. Empty 

Data.List 

Data.Sum 

TraceWith Next Process 
renamingResult 
dataAuxFunction 
fdi 

bisimilarity 
bisimSym 
addTick 
Data.Fin 
labelUniv 


lemBisimFmap+ : {lu : LUniv}{c 0 c\ c 2 : Choice} — > (/: ChoiceSet c 0 —>■ ChoiceSet ci) 
—> (g : ChoiceSet C\ —> ChoiceSet c 2 ) 

—)■ (P : Process-1- oo {lu} c 0 ) 


open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

mutual 


a 


-o 
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o-o 


—> Bisims+ (fmap+ (g o f) P) (fmap+ g (fmap+ f P)) 
bisim2E (lemBisimFmap+ f g P) e = e 
bisimELab (lemBisimFmap+ f g P) e= refl 

bisimENext (lemBisimFmap+ f g P) e = lemBisimFmapoo fg (PE P e) 

bisi m21 (lemBisimFmap+ f g P) e = e 

bisimlNext (lemBisimFmap+ f g P) e = lemBisimFmapoo f g (PI P e) 

bisim2T (lemBisimFmap+ f g P) e= e 

bisim2TEq (lemBisimFmap+ f g P) e = refl 

bisim2Er (lemBisimFmap+ f g P) e = e 

bisimELabr (lemBisimFmap+ / g P) e= refl 

bisimENextr (lemBisimFmap+ f g P) e = lemBisimFmapoo f g {PE P e) 
bisim2lr (lemBisimFmap+ / g P) e = e 

bisimlNextr (lemBisimFmap+ f g P) e = lemBisimFmapoo f g (PI P e ) 
bisim2Tr (lemBisimFmap+ / g P) e = e 
bisim2TEqr (lemBisimFmap+ f g P) e = refl 

lemBisimFmapoo : {lu : LUniv}{c 0 ci C 2 : Choice} —^ (/: ChoiceSet c 0 —?• ChoiceSet ci) 
—>■ (<7 : ChoiceSet ci —> ChoiceSet c 2 ) 

—> {P : Processoo oo { lu } c 0 ) 

—> Bisimsoo (fmapoo {g o f) P) (fmapoo g (fmapoo f P)) 
forceB (lemBisimFmapoo f g P) = lemBisimFmap / g (forcep P) 


lemBisimFmap : {lu : LUniv}{c 0 C\ c 2 : Choice} — >■ (/: ChoiceSet c 0 — >■ ChoiceSet ci) 
—)• : ChoiceSet c\ —> ChoiceSet c 2 ) 

—)• (P : Process oo {lu} c 0 ) 

Bisims (fmap (g ° f) P) (fmap g (fmap / P)) 
lemBisimFmap f g (terminate x) = eqterminate 
lemBisimFmap / g (node x ) = eqnode (lemBisimFmap+ /g x) 


mutual 

lemBisimFmap+R : {iu : LUniv}{c 0 c\ c 2 : Choice} — » (/: ChoiceSet c 0 —> ChoiceSet ci) 
—)■ (<? : ChoiceSet ci —\ ChoiceSet c 2 ) 

—)• {P : Process+ oo {/n} c 0 ) 

—> Bisims+ (fmap+ g (fmap+ f P)) (fmap+ (g o f) P) 
bisim2E (lemBisimFmap+R / g P) e = e 
bisimELab (lemBisimFmap+R f g P) e = refl 


a 


-o 
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o-o 


bisimENext (lemBisimFmap+R / g P) e= lemBisimFmapooR fg (PE P e) 
bisim2l (lemBisimFmap+R fg P) e = e 

bisimlNext (lemBisimFmap+R f g P) e = lemBisimFmapooR f g (PI P e ) 
bisim2T (lemBisimFmap+R fg P) e = e 
bisim2TEq (lemBisimFmap+R fg P) e = refl 
bisim2Er (lemBisimFmap+R fg P) e = e 
bisimELabr (lemBisimFmap+R fg P) e= refl 

bisimENextr (lemBisimFmap+R f g P) e = lemBisimFmapooR f g {PE P e) 
bisi m21 r (lemBisimFmap+R f g P) e = e 

bisimlNextr (lemBisimFmap+R f g P) e = lemBisimFmapooR f g { PI P e) 
bisim2Tr (lemBisimFmap+R / F) e = e 
bisim2TEqr (lemBisimFmap+R f g P) e = refl 


lemBisimFmapooR : : LUniv}{co c\ c 2 : Choice} —>• (/: ChoiceSet c 0 —>• ChoiceSet ci) 

—>• ((7 : ChoiceSet ci —> ChoiceSet C 2 ) 

—> (F : Processoo 00 { lu } c 0 ) 

—>• Bisimsoo (fmapoo ^ (fmapoo / P)) (fmapoo (g o f) P) 
forceB (lemBisimFmapooR /g P) = lemBisimFmapR /g (forcep P) 


lemBisimFmapR : {lu : LUniv} {co c\ C2 : Choice} — >■ (/: ChoiceSet Co — t ChoiceSet c\) 
—> {g : ChoiceSet c\ —> ChoiceSet c 2 ) 

—> {P : Process 00 {lu} c 0 ) 

—> Bisims (fmap g (fmap f P)) (fmap {g o f) P) 
lemBisimFmapR / g (terminate x) = eqterminate 
lemBisimFmapR / g (node x) = eqnode (lemBisimFmap+R f g x) 


mutual 

addTimeFmapBisimLemma+ : {lu : LUniv} {c 0 c\ c 2 : Choice} 
(/: ChoiceSet cq —¥ ChoiceSet ci) 

{g : ChoiceSet ci — > ChoiceSet c 2 ) 

(P : Process+ 00 {lu} c 0 ) 

(a : ChoiceSet c \) 


a 


-o 
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o-o 


—>■ Bisims+ (addTimed/ + ( g a) (fmap+ (g o f) P )) (fmap+ g (addTimed/ + a (fmap+ f j 
bisim2E (addTimeFmapBisimLemma+ f g P a) e = e 
bisimELab (addTimeFmapBisimLemma+ f g P a) e = refl 

bisimENext (addTimeFmapBisimLemma+ f g P a) e = lemBisimFmapoo f g (PE P e) 
bisi m21 (addTimeFmapBisimLemma + f 9 P a) e = e 

bisimlNext (addTimeFmapBisimLemma+ f g P a) e = addTimeFmapBisimLemmaoo f g (PI P e) a 

bisim2T (addTimeFmapBisimLemma+ f g P a) (injx x ) = injx x 

bisim2T (addTimeFmapBisimLemma+ f g P a) (inj 2 y) = inj 2 y 

bisim2TEq (addTimeFmapBisimLemma+ f g P a) (injx x) = refl 

bisim2TEq (addTimeFmapBisimLemma+ f g P a) (inj 2 y) = refl 

bisim2Er (addTimeFmapBisimLemma+ / g P a) e = e 

bisimELabr (addTimeFmapBisimLemma+ f g P a) e = refl 

bisimENextr (addTimeFmapBisimLemma+ f g P a) e = lemBisimFmapoo f g (PE P e) 
bisim2lr (addTimeFmapBisimLemma+ f g P a) e = e 

bisimlNextr (addTimeFmapBisimLemma+ f g P a) e = addTimeFmapBisimLemmaoo f g (PI P e) a 
bisim2Tr (addTimeFmapBisimLemma+ f g P a) (injx x) = injx x 
bisim2Tr (addTimeFmapBisimLemma+ f g P a) (inj 2 y) = inj 2 y 
bisim2TEqr (addTimeFmapBisimLemma+ f g P a) (injx x) = re fl 
bisim2TEqr (addTimeFmapBisimLemma+ f g P a) (inj 2 y) = refl 


addTimeFmapBisimLemmaoo : {lu : LUniv} {c 0 Cx c 2 : Choice} 

(/: ChoiceSet c 0 —> ChoiceSet cx) 

(g : ChoiceSet C\ —> ChoiceSet c 2 ) 

(P : Processoo oo {lu} c 0 ) 

(a : ChoiceSet cx) 

—> Bisimsoo (addTimed/oo (g a) (fmapoo (g o f) P)) (fmapoo g (addTimed/oo < 

forceB (addTimeFmapBisimLemmaoo {lu} f g P a) = addTimeFmapBisimLemma {lu} f g (forcep P) 


addTimeFmapBisimLemma : {lu : LUniv} {c 0 cx c 2 : Choice} 

(/: ChoiceSet cq —y ChoiceSet cx) 

(g : ChoiceSet c\ —>■ ChoiceSet c 2 ) 

(P : Process oo {lu} c 0 ) 

(a : ChoiceSet cx) 

—y Bisims (addTimed/ ( g a) (fmap (g ° f) P)) (fmap g (addTimed/ a (fmap / P))) 
addTimeFmapBisimLemma / g (terminate x) a = eqnode (lem f g x a) 
addTimeFmapBisimLemma / g (node x) a = eqnode (addTimeFmapBisimLemma+ f g x a) 


a 


Cl 
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o-o 


lem : {lu : LUniv} {c 0 ci c 2 : Choice} 

—>■ (/: ChoiceSet c 0 -> ChoiceSet ci) 

—> (g : ChoiceSet c\ —>• ChoiceSet c 2 ) 

—> (x : ChoiceSet Co) 

—> (a : ChoiceSet ci) 

—> Bisims+ {lu = lu} (fmap+ unifyAtfclA (2-/ + (g a ) ((g o f) a:))) 
(fmap+ g (fmap+ unifyAWA (2-/ + a (/x)))) 
bisim2E (lem f g x a) () 
bisimELab (lem f g x a) () 
bisimENext (lem f g x a) () 
bisim2l (lem f g x a) () 
bisimlNext (lem f g x a) () 
bisim2T (lem / g x a) e = e 
bisim2TEq (lem f g x a) zero = refl 
bisim2TEq (lem f g x a) (sue zero) = refl 
bisim2TEq (lem f g x a) (sue (sue ())) 
bisim2Er (lem f g x a) () 
bisimELabr (lem f g x a) () 
bisimENextr (lem f g x a) () 
bisi m21 r (lem f g x a) () 
bisimlNextr (lem f g x a) () 
bisim2Tr (lem f g x a) e = e 
bisim2TEqr (lem f g x a) zero = refl 
bisim2TEqr (lem f g x a) (sue zero) = refl 
bisim2TEqr (lem f g x a) (sue (sue ())) 


A.21 bisimSImpliesBisimw.agda 


--@PREFIX@bisimSImpliesBisimw 

module bisimSImpliesBisimw where 

open import process 
open import choiceSetU 
open import labelUniv 
open import Size 
open import Data.List 


a 


-o 
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o-o 


open import Data.Sum 
open import TraceWithNextProcess 
open import bisimilarity 
open import bisimilarityProofs 

mutual 

--(SBEGINGbisimsToBismwTheo 

bisimsToBismwoo : {z : Size}{/?z : LUniv}{c : Choice} 
( P P’ : Processoo oo { lu } c) 

—> Bisimsoo {z} P P’ 

—> Bisimwoo {z} P P’ 

bisimsToBismw : {z : Size}{/zz : LUniv}{c : Choice} 

(P P’ : Process oo { lu}c) 

—> Bisims {z} P P’ 

—y Bisimw {z} P P’ 

bisimsToBismw+ : {i : Size}{/?z : LUniv}{c : Choice} 
(P P’ : Process+ oo {lu} c ) 

—> Bisims+ {z} P P’ 

—y Bisimw+ {z} P P’ 


--(SEND 


--(SBEGINObisimsToBismwinf 

forceB (bisimsToBismwoo {z} P P’ PP’) {j} = bisimsToBismw 
(forcep P) (forcep P’) (forceB PP’ {}}) 


--(SEND 


--(SBEGINGbisimsToBismw 

bisimsToBismw .(terminate a) .(terminate a) (eqterminate {a}) = 
eqterminate termeqterm 

bisimsToBismw .(node Q ) .(node Q’) (eqnode {Q} {Q’} x) = 
eqnode (bisimsToBismw-l- Q Q’ x) 


--(SEND 


a 


-o 
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o- 


■o 


--@BEGIN@bisimsToBismwplus 

bisimdiv (bisimsToBismw+ P P’ PP’) = divLemBisims+ P P’ PP’ 

nondiv+ (bisimsToBismw+ P P’ PP’) = nondivLemBisims+ P P’ PP’ 

bisimEP’ (bisimsToBismw+ P P’ PP’) e = PE P’ (bisim2E PP’ e) 

bisimEtr (bisimsToBismw+ P P’ PP’) e rewrite (bisimELab PP’ e) = 

extc [] (inji (forcep (PE P’ (bisim2E PP’ e)))) 

(bisim2E PP’ e)(reflTrPoo (PE P’ (bisim2E PP’ e))) 
bisimEnext (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwcx) (PE P e) (PE P’ (bisim2E PP’ e)) 
(bisimENext PP’ e) 

bisimlP’ (bisimsToBismw+ P P’ PP’) e = PI P’ ( bisi m21 PP’ e) 

bisimltr (bisimsToBismw+ P P’ PP’) e = 

intc [] (( inji (forcep (PI P’ (bisim2l PP’ e))))) 

( bisi m21 PP’ e)(reflTrPoo ((PI P’ (bisim2l PP’ e)))) 
bisimlnext (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PI P e) (PI P’ (bisim2l PP’ e)) 
(bisimlNext PP’ e) 

bisimTtr (bisimsToBismw+ P P’ PP’) t rewrite (bisim2TEq PP’t) = 
terc (bisim2T PP’t) 

bisimdivr (bisimsToBismw+ P P’ PP’) = divLemBisims+r P P’ PP’ 

nondiv+r (bisimsToBismw+ P P’ PP ) = nondivLemBisims+r P P’ PP’ 

bisimEP’r (bisimsToBismw+ P P’ PP’) e = PE P (bisim2Er PP’ e) 
bisimEtrr (bisimsToBismw+ P P’ PP’) e rewrite (bisimELabr PP’ e) = 
extc [] (inji (forcep (PE P (bisim2Er PP’ e)))) 

(bisim2Er PP’ e)(reflTrPoo (PE P (bisim2Er PP’ e))) 
bisimEnextr (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PE P (bisim2Er PP’ e)) (PE P’e) 
(bisimENextr PP’ e) 

bisimIP’r (bisimsToBismw+ P P’ PP’) e = PI P (bisim2lr PP’ e) 

bisimltrr (bisimsToBismw + P P’ PP’) e — 

intc [] (injx (forcep (PI P (bisim2lr PP’ e)))) 

( bisi m21 r PP’ e) (refITrPoo (PI P (bisim2lr PP’ e))) 
bisimlnextr (bisimsToBismw+ P P’ PP’) e = 

bisimsToBismwoo (PI P (bisim2lr PP’ e)) (PI P’ e) 
((bisimlNextr PP’ e)) 

bisimTtrr (bisimsToBismw+ P P’ PP’) t rewrite (bisim2TEqr PP’t) = 
terc (bisim2Tr PP’t) 


<y 


-o 
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o-o 


--(SEND 


A.22 bisimSym.agda 


--@PREFIX@bisimSym 
module bisimSym where 


open 

import 

process 

open 

import 

choiceSetU 

open 

import 

Size 

open 

import 

Data.List 

open 

import 

Data.Sum 

open 

import 

TraceWith Next Process 

open 

import 

bisimilarity 

open 

import 

Agda.Builtin.Equality 

open 

import 

labelUniv 


mutual 


--@BEGIN(SBismwRefinfTheo 


BismwRefoo : 

{*: 

: Size}{/i/ : LUniv}{c : 

Choice} 


(P 

: Processoo oo {lu} c) 



—y 

Bisimwoo {z} P P 


BismwRef 

{i- 

: Siz e}{lu : LUniv}{c : 

Choice} 


(P 

: Process oo {lu} c ) 



—>• 

Bisimw {z} P P 


BismwRef+ : 

{*: 

: Size}{/?z : LUniv}{c : 

Choice} 


{P 

: Process-1- oo {lu} c ) 



—y 

Bisimw+ {z} P P 


•(SEND 





--@BEGIN(SBismwRefinf 

forceB (BismwRefoo {z} { lu } P ) { j } = BismwRef {j} {lu } (forcep P) 


a 


o 
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o-o 


--(SEND 


--@BEGIN@BismwRef 

BismwRef (terminate x ) = eqterminate termeqterm 
BismwRef (node x) = eqnode (BismwRef+ x) 


--(SEND 


- -@BEGIN(SBismwRef plus 

bisimdiv (BismwRef-i- P) e = e 
nondiv-h (BismwRef+ P) e = e 
bisimEP’ (BismwRef-)- P) e = PE P e 
bisimEtr (BismwRef-)- P) e = 
extc [] (inji (forcep (PE P e))) e (refITrPoo (PE P e)) 
bisimEnext (BismwRef-)- P) e = BismwRefoo (PE P e) 
bisimlP’ (BismwRef-)- P) i = PI Pi 
bisimltr (BismwRef+ P) e = 
into [] (inji (forcep (PI P e))) e (refITrPoo (PI P e)) 
bisimlnext (BismwRef-)- P) e = BismwRefoo (PI P e) 
bisimTtr (BismwRef-)- P) e = terc e 
bisimdivr (BismwRef-)- P) e = e 
nondiv+r (BismwRef-)- P) e = e 
bisimEP’r (BismwRef-)- P) e = PE P e 
bisimEtrr (BismwRef-)- P) e = 
extc [] (inji (forcep (PE P e) )) e (refITrPoo (PE P e)) 
bisimEnextr (BismwRef+ P) e = BismwRefoo (PE P e) 
bisimIP’r (BismwRef-)- P) i = PI P i 
bisimltrr (BismwRef-)- P) e = 
intc [] (inji (forcep (PI P e) )) e (refITrPoo (PI P e)) 
bisimlnextr (BismwRef-)- P) e = BismwRefoo (PI P e ) 
bisimTtrr (BismwRef-)- P) e = terc e 


--(SEND 


mutual 

- -(SBEGIN(SBismSRef Theo 


o 


-o 
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o-o 


BismsRefcx) : 


Size}}/?/ : LUniv}{c : 

Choice} 


{P 

: Processoo oo {lu} c) 



—>• 

Bisimscx) {z} P P 


BismsRef : 

{*: 

Size}{£u : LUniv}{c : 

Choice} 


(P 

: Process oo {lu} c) 



— y 

Bisims {z} P P 


BismsRef+ : 

V- 

Size}{[u : LUniv}{c : 

Choice} 


(P 

: Process-)- oo {lu} c ) 



— > 

Bisims+ {*} P P 



--(SEND 


--@BEGIN(SBismSRefinf 
forceB (BismsRefoo P) = BismsRef (forcep P ) 


--SEND 


--(SBEGINGBismSRef 

BismsRef (terminate x) = eqterminate 
BismsRef (node P) = eqnode (BismsRef+ P) 


--(SEND 


-@BEGIN@BismSRefplus 


sim2E 

(BismsRef+ 

P) 

e 

= e 

simELab 

(BismsRef+ 

P) 

e 

= refl 

simENext 

(BismsRef+ 

P) 

e 

= BismsRefoo (PE P e) 

sim2l 

(BismsRef+ 

P) 

e 

= e 

simlNext 

(BismsRef+ 

P) 

e 

= BismsRefoo (PI P e ) 

sim2T 

(BismsRef+ 

P) 

e 

= e 

sim2TEq 

(BismsRef+ 

P) 

e 

= refl 

sim2Er 

(BismsRef+ 

P) 

e 

= e 

simELabr 

(BismsRef+ 

P) 

e 

= refl 

simENextr 

(BismsRef+ 

P) 

e 

= BismsRefoo (PE P e) 

sim2lr 

(BismsRef+ 

P) 

e 

= e 

simlNextr 

(BismsRef+ 

P) 

e 

= BismsRefoo (PI P e ) 

sim2Tr 

(BismsRef+ 

P) 

e 

= e 


a 


-o 
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o-o 


bisim2TEqr (BismsRef+ P) e = refl 


--(SEND 


A. 23 bisimwImpliesStableFailuresEquivalence.agda 


--@PREFIX@bisimwImpliesStableFailuresEquivalence 
module bisimwImpliesStableFailuresEquivalence where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport labelUniv 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Unit.Base 

mport Data.Empty 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport fdi 

mport fdiRefusal 

mport bisimilarity 

mport bisimSym 

mport Data.Bool renaming (T to True) 

mport Data.Product 

mport bisimForNextProcess 

mport tracelmpliesTraceP 

mport bisimlmpliesBisim 

mport bisimilarityProofs 

mport auxData 

mport bisimlmpliesTraceEquiv 

mport bisimSImpliesBisimw 


--@BEGIN@bisimRefusalrosPlusStabFailRefsfOne 


o 


-o 
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o-o 


bisimwImpliesCsfi : {lu : LUniv}{c : Choice} ( P : Process oo { lu } c) 
(P’ : Process oo {lu} c) 

(PP’ : Bisimw { 00 } P P’) 

P Csf, P’ 

bisimwImpliesCsfi {lu}{c} P P’ PP’ l X 
(stableFp Q’ tr’ stab’ drefuse’) 

= (stableFp Qhat trhat 2 

( stabSchNoTicklfRos2StablePar Qhat 

true stabSchQhat stabNoTick ) 

drefuse hat) 
where 

Qcom : Process 00 {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPx P P’ PP’ l (injx Q’) tr’ 

trcom : TrP {lu} l (bisimTraceTrPx P P’ PP’ l 
(injx Q) tr’) P 

trcom = bisimTraceTrP 2 P P’ PP’ l (injx Q’) tr’ 

QQ’com : BisimForNextP (bisimTraceTrPx P P’ PP’ l 
(injx Q’) tr’) (injx Q’) 

QQ’com = bisimTraceTrP 3 P P’ PP’ l (injx Q’) tr’ 

Q : Process 00 {lu} c 

Q = lemmayyyx Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP {lu} l (injx Q) P 

tr = lemmayyy 2 Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ’com 

Qhat : Process 00 {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

trhat : TrP {lu} [] (injx Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


a 
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o-o 


QhatQ' : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTr Q Q’ QQ’ stab’ 

(bisimStablelmpliesNotDivergent c Q Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 
stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ’ stab ’ stabSchQhat 

trhati : TrP { lu } (l ++ []) (inji Qhat) P 
trhati = trPAppendTrw c P Q l [] (inji Qhat) tr trhat 

eql : (l -\ — b [] ) = / 

eql = lemEqList l 

trhat 2 : TrP {lu} l (inji Qhat) P 

trhat 2 = subst (X 1’ —» TrP {lu} l’ (inji Qhat) P) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’ QhatQ') A' true drefuse’ 


--(SEND 


--@BEGIN(SbisimRefusalrosPlusStabFailRefsfOnePlus 

bisimwImpliesIZsfi-b : {lu : LUniv}{c : Choice} (P : Process-1- oo {lu} c) 
(P ’: Process-b oo {lu} c) 

(PP’ : Bisimw-b {oo} P P’) 

P Csfi+ P’ 


--(SEND 

bisimwlmpliesCsfi-b {lu}{ c} P P’ PP’ l X 
(stableFp Q’ tr’ stab’ drefuse’) 

= (stableFp Qhat trhat 2 

(stabSchNoTicklfRos2StablePar Qhat true 
stabSchQhat stabNoTick ) 


a 


-o 
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o-o 


d refuse hat) 

where 

Qcom : Process oo { lu } c l±l ChoiceSet c 

Qcom = bisimTraceTrP 1 + P P’ PP’ l (inji Q’) tr’ 

trcom : TrP+ l (bisimTraceTrPi+ P P’ PP’ l (inji Q’) tr’) P 
trcom = bisimTraceTrP 2 + P P’ PP’ l (inji Q’) tr’ 

QQ’com : BisimForNextP 

(bisimTraceTrPi+ P P’ PP’ l (inji Q’) if’) (inji Q’) 
QQ’com = bisimTraceTrP 3 + P P’ PP’ l (inji Q’) if’ 

Q : Process oo {lu} c 

Q = lemmayyyx Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP+ {lu} l (inji Q) P 

tr = lemmayyy 2 + Qcom l P Q’ stab’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ' = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ'com 

Qhat : Process oo {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’stab’)) 

QhatQ' : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTr Q Q’ QQ’ stab ’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 
stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’stab’)) 


a 


o 
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o-o 


stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’QhatQ' stab ’ stabSchQhat 

trhati : TrP+ { lu } (/ ++ []) (inji Qhat) P 
trhati = trPAppendTrw+ c P Q l [] (inji Qhat) tr trhat 

eql : (l -\ —P [] ) = / 

eql = lemEqList l 

trhat 2 : TrP+ {lu} l (inji Qhat) P 

trhat 2 = subst (X l’ —y TrP+ {lu} V (inji Qhat) P) eql trhati 

drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’ QhatQ’) A' true drefuse’ 

--@BEGIN@bisimRefusalrosPlusStabFailRefsfOnelnf 

bisimwImpliesCsfioo : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 

(P’ : Processoo oo {lu} c) 

( PP’ : Bisimwoo { 00 } P P’) 

P Csfioo P’ 

--0END 

bisimwImpliesCsfiOO {lu} {c} P P’ PP’ l X 

(stableFp Q’tr’stab’drefuse’) = 

stableFp Qhat trhat 2 

(stabSchNoTicklfRos2StablePar Qhat true stabSchQhat 
stabNoTick) 
drefusehat 

where 

Qcom : Process 00 {lu} c l±) ChoiceSet c 

Qcom = bisimTraceTrPi (forcep P) (forcep P’) (forceB PP’) l (inji Q’) tr’ 

trcom : TrP l (bisimTraceTrPi (forcep P) (forcep P’) (forceB PP’) l (injx Q’) 

trcom = bisimTraceTrP 2 (forcep P) (forcep P’) (forceB PP’) l (inji Q’) tr’ 

QQ’com : BisimForNextP 

(bisimTraceTrPi (forcep P) (forcep P’) (forceB PP’) l (inji Q’) t r> ) (inji Q’) 
QQ’com = bisimTraceTrP 3 (forcep P) (forcep P’) (forceB PP’) l (inji Q’) t r ’ 


o 


-o 
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Q : Process oo {lu} c 

Q = lemmayyyx Qcom Q’ stab’ X drefuse’ QQ'com 
tr : TrP {lu} l (inji Q) (forcep P) 

tr = lemmayyy 2 Qcom l (forcep P) Q’ stab ’ X drefuse’ QQ’com trcom 
QQ’ : Bisimw Q Q’ 

QQ’ = lemmayyy 3 Qcom Q’ stab’ X drefuse’ QQ’com 

Qhat : Process oo {lu} c 

Qhat = nonDivBecomeStablei c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) 


trhat : TrP {lu} [] (inji Qhat) Q 
trhat = nonDivBecomeStable 2 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’stab’)) 

QhatQ' : Bisimw Qhat Q’ 

QhatQ' = bisimPPWithEmptyTr Q Q’ QQ’ stab ’ 

(bisimStablelmpliesNotDivergent cQ Q’ QQ' stab’ 
(stablelmpliesNonDiv Q’ stab’)) trhat 

stabSchQhat : stableSch Qhat 
stabSchQhat = nonDivBecomeStable 3 c Q 

(bisimStablelmpliesNotDivergent cQ Q’ QQ’ stab’ 
(stablelmpliesNonDiv Q’stab’)) 

stabNoTick : noTicklfRoscoe true Qhat 

stabNoTick = bisimwStableToNoTick Qhat Q’ QhatQ’ stab’ stabSchQhat 

trhati : TrP {lu} ( l ++ []) (inji Qhat) (forcep P) 
trhat! = trPAppendTrw c (forcep P) Q l [] (inji Qhat) tr trhat 

eql : (l -\—P [] ) = / 

eql = lemEqList l 

trhat 2 : TrP {lu} l (inji Qhat) (forcep P) 

trhat 2 = subst (X 1’ -> TrP {lu} l’ (inji Qhat) (forcep P)) eql trhati 


a 


o 
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drefusehat : DRefusal Qhat true X 

drefusehat = bisimDRefusal Q’ Qhat stab’ 

(BismwSym Qhat Q’ QhatQ') A' true drefuse’ 


{- now the reversed versions-} 

--@BEGIN@bisimRefusalrosPlusStabFailRefsfOneR 

bisimwlmplieslZsfir-b : {lu : LUniv}{c : Choice} ( P : Process-b oo { lu } c) 

(P’: Process-b oo {lu} c) 

{PP’ : Bisimw-b { 00 } P P) 

-b P’ Csfi-b P 

bisimwImpliesCsfir-b P P’ PP’ = 
bisimwlmpliesCsfi+ P’ P 

(BismwSym-b P P’ PP’) 


--(SEND 


bisimwImpliesCsfircx) : {lu : LUniv}{c : Choice} (P : Processoo 00 {lu} c) 

(P’: Processcxa 00 {lu} c ) 

(PP’ : Bisimwoo { 00 } P P’) 

—> P’ Cs^oo P 

bisimwImpliesCsfircx) P P’ PP ’ = bisimwImpliesCsfxoo P’ P (BismwSymcxa P P’ PP’) 

bisimwImpliesCsfir : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c) 

(P’ : Process 00 {lu} c) 

(PP’ : Bisimw { 00 } P P’) 

-)• P’ Csfx P 

bisimwImpliesCsfxr P P’ PP’ = bisimwImpliesCsfx P’ P (BismwSym P P’ PP’) 


{- proof of refinement w.r.t. Csf -} 

--@BEGIN@bisimRefusalrosPlusStabFailRefsf 

bisimwlmpliesCsf-b : {lu : LUniv}{c : Choice} (P : Process-b 00 {lu} c) 

(P’ : Process-b 00 {lu} c) 

(PP’ : Bisimw-b { 00 } P P) 

-b P Csf+ P’ 


<y 


-o 
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bisimwImpliesIPsf-E P P’ PP’ 

= bisimTraceEq+ P P’ PP ’ ,, bisimwImpliesCsfy-E P P’ PP’ 


--(SEND 


bisimwImpliesCsfoo : {lu : LUniv}{c : Choice} (P : Processoo oo { lu } c) 

(P’ : Processoo oo {lu} c ) 

(PP’ : Bisimwoo { 00 } P P’) 

—>• P Csfoo P’ 

bisimwImpliesCsfoo P P’ PP’ = bisimTraceEqoo P P’ PP ’ ,, bisimwImpliesCsfioo P P’ PP’ 


bisimwImpliesCsf : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) 

(P’ : Process 00 {lu} c ) 

(PP’ : Bisimw { 00 } P P’) 

-»■ P Csf P’ 

bisimwImpliesCsf P P’ PP’ = bisimTraceEq P P’ PP’ ,, bisimwImpliesCsfi P P’ PP’ 

{- proof of refinement reversed w.r.t. Csf -} 

--(SBEGIN(SbisimRefusalrosPlusStabFailRef sfR 

bisimwImpliesCsfr : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c ) 

(P’ : Process 00 {lu} c ) 

(PP’ : Bisimw { 00 } P P ’) 

->• P’ Csf P 

bisimwImpliesCsfr P P’PP’ 

= bisimwImpliesCsf P’ P (BismwSym P P’ PP’) 


--(SEND 


bisimwImpliesIPsfr-E : {tot : LUniv}{c : Choice} (P : Process-E 00 {lu} c ) 

(P’ : Process-E 00 {/n} c) 

(PP’ : Bisimw-E {00} P P’) 

-E P’ Csf-E P 

bisimwImpliesIZsfr-E P P’ PP’ = bisimwImpliesCsf-E P’ P (BismwSym-E P P’ PP} 

bisimwImpliesCsfroo : {/u : LUniv}{c : Choice} (P : Processoo 00 {lu} c ) 

(P’ : Processoo 00 {lu} c ) 

(PP’ : Bisimwoo {00} P P’) 

—> P’ Csfoo P 


a 


-o 
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bisimwImpliesCsfroo P P’ PP’ = bisimwImpliesCsfoo P’ P (BismwSymoo P P’ PP’) 


{- proof of equality -} 

--@BEGIN@bisimRefusalrosPlusStabFailRefsEquiv 

bisimwlmplies=sf : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 

(P’ : Process oo {lu} c ) 

(PP’ : Bisimw {00} P P’) 

->• P =sf P’ 


--(SEND 


--(SBEGINGbisimRefusalrosPlusStabFailRef sEquivProof 

bisimwlmplies=sf P P’ PP’ 

= bisimwImpliesCsf P P’ PP ’ ,, 
bisimwImpliesCsfr P P’ PP’ 


--(SEND 


bisimwlmplies=sf+ : {lu : LUniv}{c : Choice} (P : Process-P 00 {lu} c ) 

(P’ : Process-1- 00 {lu} c ) 

(PP’: Bisimw-P { 00 } P P’) 

-)• P =sf+ P’ 

bisimwlmplies=sf+ P P’ PP’ 

= bisimwImpliesCsf-P P P’ PP ’ ,, 
bisimwImpliesCsfr-P P P’ PP’ 


bisimwlmplies=sfoo : {lu : LUniv}{c : Choice} (P : Processoo 00 {lu} c ) 

(P’: Processoo 00 {lu} c ) 

(PP’ : Bisimwoo { 00 } P P’) 

—> P =sfoo P’ 

bisimwlmplies=sfoo P P’ PP ’ = bisimwImpliesCsfoo P P’ PP ’ ,, 

bisimwImpliesCsfroo P P’ PP’ {-bisimwImpliesCsf roo P 


a 


-o 
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{- now same, but using proofs of strong bisimilarity -} 


bisimslmplies=sf+ : {lu : LUniv}{c : Choice} (F : Process+ oo { lu } c) 

(FA Process+ oo {lu} c ) 

(PP’ : Bisims+ {00} P P’) 

-)• P =sf+ P’ 

bisimslmplies=sf+ P P’ PP’ = bisimwlmplies=sf+ P P’ (bisimsToBismw+ P P’ PP’) 

bisimslmplies=sfoo : {lu : LUniv}{c : Choice} (F : Processoo 00 {lu} c ) 

(FA Processoo 00 {lu} c ) 

(PP’ : Bisimsoo { 00 } P P’) 

—y P =sfoo P’ 

bisimslmplies=sfoo P P’ PP’ = bisimwlmplies=sfoo P P’ (bisimsToBismwoo P P’ PP’) 

--@BEGIN@bisimRefusalrosPlusStabFailRefsEquivStrong 

bisimslmplies=sf : {lu : LUniv}{c : Choice} 

(F : Process 00 {lu} c) 

(P’ : Process 00 {lu} c) 

(PP’ : Bisims { 00 } F P’) 

F =sf P’ 


--0END 


--OBEGINObisimRefusalrosPlusStabFailRefsEquivStrongProof 

bisimslmplies=sf F P’ PP ’ = 
bisimwlmplies=sf F P’ (bisimsToBismw F P’ PP’) 


--@END 


A.24 choice AuxFunct ion. agda 


--@PREFIX@choiceAuxFunction 
module choiceAuxFunction where 


o- 


o 
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o-o 


open import auxData 
open import choiceSetl) 
open import Data.Bool 
open import Data.Maybe 

open import Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

open import Data.List.Base renaming (map to mapL) 

open import Data.Sum 

open import Data.Product hiding ( _x_ ) 

extChoiceEIToName : String — > String 
extChoiceEIToName s = "e-" ++s s 

intChoiceEIToName : String — > String 
intChoiceEIToName s = "i-" ++s s 

terminationChoiceEIToName : String —>• String 
terminationChoiceEIToName s = s 

choice2EnumWithStr : (c : Choice) —> List (String x ChoiceSet c) 
choice2EnumWithStr c = mapL (X a —>■ (choice2Str a ,, a)) (choice2Enum c) 

mutual 

--@BEGIN@lookupInEnum 

lookupInEnum : {A : Set} — > List (String x A) —> String -> Maybe A 
lookupInEnum [] str = nothing 

lookupInEnum ((str ’ ,, a ) :: 1) str = lookupInEnumAux a l str 

(str’ ==strb str ) 

lookupInEnumAux : {A : Set} —> A —> List (String x A) —y String —y Bool 
—> Maybe A 

lookupInEnumAux a l s false = lookupInEnum l s 
lookupInEnumAux a l s true = just a 


--(SEND 


--@BEGIN@lookupChoice 

combineEnumerations : {E I : Choice} —> List (String x ChoiceSet E ) 

—> List (String x ChoiceSet I) 

—y List (String x (ChoiceSet E l±l ChoiceSet /)) 


o 


-o 
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combineEnumerations {E } {/} L L’ = 

(mapL (X {( s „ c) 

—>■ (extChoiceEIToName s ,, injx c)}) L ) 

H—h 

(mapL (X {( s ,, c) — t (intChoiceEIToName s ,, inj 2 c)}) 

lookupChoice \ (E I: Choice) —>- String 

—> Maybe (ChoiceSet E i±i ChoiceSet 1) 
lookupChoice E I s = lookupInEnum (combineEnumerations 

(choice2EnumWithStr E) 
(choice2EnumWithStr I)) s 


--0END 


A.25 choiceFromList.agda 


--(SPREFIXOchoiceFromList 
module choiceFromList where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport process 
mport choiceSetll 
mport Data.List 
mport primitiveProcess 
mport labelUniv 
mport externalChoice 
mport renamingResult 
mport Data.Sum 
mport auxData 
mport dataAuxFunction 


ctfcl’c —>c : {c : Choice} (x : ChoiceSet (c l±T c)) —> ChoiceSet c 
ctfci’c — ^c (inji x) = x 
ci±J’c —k (inj 2 y) = y 

--@BEGIN@choiceList 


o- 


o 
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o-o 


□ j : {z : Size} {c : Choice} {lu : LUniv} {A : Set} — >• List A 

—>■ (A Process z {lu} c ) —>■ Process i {lu} c 

□ i {z} {c} [] /= STOP c 

□ i {z} {c} (a :: []) /= fa 

□ | {z} {c} (a :: (b :: /)) /= fmap cW’c^c ((/a) □ ((|D| (6 :: l) f ))) 


--(SEND 


--@BEGIN@choiceListinf 


□ |oo : {z : Size} {c : Choice} {lu : LUniv} {A : Set}— >■ List A 

—>■ (A —> Processoo i {lu} c ) —>■ Processoo i {lu} c 

□ |oo {z} {c} [] /= STOPoo c 

□ joo {z} {c} (a :: []) /= fa 

□ joo {z} {c} (a :: b :: l ) /= fmapoo ct+J’c — >-c ((/a) noooo ((|D|oo (b :: /) /))) 


--(SEND 


A.26 choiceSetU.agda 

--(SPREFIX(SChoU 

module choiceSetU where 

open import auxData 
open import dataAuxFunction 
open import Data.Bool 
open import Data.Nat 

open import Data.Fin renaming (_+_ to to _<F_) 

open import Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

open import Data.Nat.Show renaming (show to showN) 

open import Data.List.Base renaming (map to mapL) 

open import Data.Maybe 

open import Agda.Builtin.Unit 

open import Data.Product hiding ( _x_ ) 

open import Data.Sum 

o- 


-o 
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infixl 3 J±l’_ 
infixl 4 _x’_ 


-- \ChoU 

--OBEGINOchoSetU 


data NamedElements (s : List String) : Set where 
ne : Fin (length s) NamedElements s 


mutual 

data Choice : Set where 
fin : N — > Choice 

J±l'_ : Choice — >■ Choice — > Choice 
_x'_ : Choice — >■ Choice — > Choice 

subset’ : (E : Choice) —>• (ChoiceSet E —> Bool) —>• Choice 
E' : (E : Choice) —>• (ChoiceSet E —> Choice) —> Choice 
namedElements : List String — Choice 
list : (E : Choice) ( l : List (ChoiceSet E)) —>■ Choice 


ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 

ChoiceSet 


: Choice — v Set 
(fin n) = Fin n 

(s l±)’ t) = ChoiceSet s l±l ChoiceSet t 

[E x' F) = ChoiceSet E x ChoiceSet F 

(Z’ A B) = T[ x E ChoiceSet A ] ChoiceSet ( B x) 

(namedElements s) = NamedElements s 

(subset’ E f) = subset (ChoiceSet E) f 

(list E l) = ListChoiceElements E l 


data ListChoiceElements (E : Choice)(/ : List (ChoiceSet E)) : Set where 
Ice : Fin (length l) —>■ ListChoiceElements E l 


--@END 


0' : Choice 
0’ = fin 0 

T’ : Choice 
T’ = fin 1 


nth : {A : Set} — >■ (l : List A) —>• Fin (length /) —> A 


a 


o 




A.26. choiceSetU.agda 

-o 

nth [] () 

nth {aw l ) zero = a 

nth (a w. l) (sue n) = nth l n 
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--@BEGIN@choicetwoStr 

choice2Str : {c : Choice} — > ChoiceSet c —>■ String 
choice2Str {fin n} m = showN (toN m) 
choice2Str {co l±)' ci} (inji a) = 

"(ini " —|—|—s (choice2Str {c 0 } a) ++s ")" 
choice2Str {c 0 l±)' Ci} (inj 2 a) = 

"(inr " — j—(—s (choice2Str {ci} a) ++s ")" 
choice2Str {co x’ ci} (x „ xi) = 

" (" ++s (choice2Str {c 0 } x) ++s 

++s (choice2Str {ex} X\) ++s ")" 
choice2Str {namedElements s} (ne i) = nth s i 
choice2Str {Z’ c 0 ci} {x\ , x 2 i) = 

(choice2Str {c 0 } xi) ++s 
++s (choice2Str {ci x{} x 2 i) 
choice2Str {subset’ E /} (sub a x) = choice2Str { E } a 
choice2Str {list E l } (Ice i) = choice2Str {E} (nth l i) 


--(SEND 


choice2Stri : (c : Choice) —> ChoiceSet c — > String 
choice2Stri c a = choice2Str {c} a 

boolToMaybeTrue : {b : Bool) — > Maybe (T b ) 
boolToMaybeTrue false = nothing 
boolToMaybeTrue true = just tt 

set2MaybeSubsetO : {A : Set) —>•(/: zl —> Bool) — > {a : yl) —>• Maybe (T (/a)) 
—>• Maybe (subset zl j) 

set2MaybeSubsetO A f a (just p) = just (sub a p) 
set2MaybeSubsetO A f a nothing = nothing 


o 


-o 
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o-o 


set2MaybeSubset : (A : Set) — > (/: A—> Bool) -> A —> Maybe (subset A f) 
set2MaybeSubset A f a = set2MaybeSubsetO A f a (boolToMaybeTrue (fa)) 


--@BEGIN@choicetwoEnum 


choice2Enum 

choice2Enum 

choice2Enum 


choice2Enum 

choice2Enum 

choice2Enum 

choice2Enum 

choice2Enum 


: (c : Choice) —> List (ChoiceSet c) 

(fin n) = fin20ptionO n 

(c 0 l±l' Ci) = mapL (X a —>■ injx a) 

(choice2Enum c 0 ) ++ 

mapL (X a —> inj 2 a) (choice2Enum ci) 

(c 0 x’ ci) = concat (mapL (X a —> (mapL (X b —>■ (a ,, b)) 
(choice2Enum ci) )) (choice2Enum Co)) 
(namedElements s) = mapL (X i —> ne i) (fin20ptionO (length s)) 
(E’ c 0 ci) = concat (mapL (X a —> (mapL (X b -> (a , b)) 
(choice2Enum (ci a)) )) (choice2Enum c 0 )) 
(subset’ E f) = gfilter (set2MaybeSubset 

(ChoiceSet E) f) (choice2Enum E) 

(list E l) = mapL Ice (fin20ptionO (length 1)) 


--(SEND 


choicelsEmpty : Choice —>- Bool 
choicelsEmpty c = null (choice2Enum c) 

0W0—)-0 : {A : Set} —>• ChoiceSet (0’ l±)’ 0’) —>• A 
01±)0->0 (inji ()) 

0 W 0-)-0 (inj 2 ()) 

A.27 choiceSetUOptimized.agda 


module choiceSetUOptimized where 

open import auxData 
open import dataAuxFunction 


a 


o 
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A.27. choiceSetUOptimized.agda 


o 


■o 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport choiceSetl) 
mport Data.Bool 
mport Data.Nat 

mport Data.Fin renaming (_+_ to to _<F_) 

mport Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

mport Data.Nat.Show renaming (show to showN) 

mport Data.List.Base renaming (map to mapL) 

mport Data.Maybe 

mport Data.Bool.Base 

mport Agda.Builtin.Unit 

mport Data.Product hiding ( _x_ ) 

mport Data.Sum 

mport Data.Empty 

mport Relation. Binary. Propositional Equality 


mutual 

choice20ptimizedChoiceauxl±T : (c : Choice)(6 : Bool^c’ : Choice)^’: Bool) —>• Choice 
choice20ptimizedChoiceauxl±T c false c’ false = (choice20ptimizedChoice c) l±T (choice20ptirr 
choice20ptimizedChoiceauxl±T c false c’true = (choice20ptimizedChoice c) 
choice20ptimizedChoiceauxl±)’ c true c’ b’ = (choice20ptimizedChoice c ’) 

choice20ptimizedChoiceauxx' : (c : Choice)(6 : Bool)(c’: Choice)(6 ; : Bool) — > Choice 
choice20ptimizedChoiceauxx' c false c’ false = (choice20ptimizedChoice c) x' (choice20ptir 
choice20ptimizedChoiceauxx' c false c’true = fin 0 
choice20ptimizedChoiceauxx' c true c’b’= fin 0 

choice20ptimizedChoiceauxSubset : (c : Choi ce)(/: ChoiceSet c —> Bool)(6 : Bool) 

—)• Choice 

choice20ptimizedChoiceauxSubset cf false = subset’ cf 
choice20ptimizedChoiceauxSubset c/true = fin 0 


choice20ptimizedChoice : (c : Choice) — > Choice 
choice20ptimizedChoice (fin x) = fin x 

choice20ptimizedChoice (c l±l’ ci) = choice20ptimizedChoiceauxl±l’ c (choicelsEmpty c) ci (cf 
choice20ptimizedChoice (c x' ci) = choice20ptimizedChoiceauxx’ c (choicelsEmpty c) c\ (c 
choice20ptimizedChoice (namedElements x) = namedElements x 

choice20ptimizedChoice (subset’ c f) = choice20ptimizedChoiceauxSubset c / (choicelsEmpty 
choice20ptimizedChoice (Z’ c x) = I' c x 
choice20ptimizedChoice (list c 1) = list c l 


o 


-o 
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choice20ptimizedChoiceauxl±)’2choice : (c : Choice)(6 : Bool)(c ; : Choice)(6’: Bool) 

(x : ChoiceSet (choice20ptimizedChoiceauxl±)’ c b c’ b’)) 

—>• ChoiceSet (c l±)’ c’) 

choice20ptimizedChoiceauxl±l'2choice c false c’ false (inji x ) = i nj x (choice20ptimizedChoice2choice c 
choice20ptimizedChoiceauxl±l’2choice c false c’ false (inj 2 y) = inj 2 (choice20ptimizedChoice2choice c 
choice20ptimizedChoiceauxl±l’2choice c false c’true x = inji (choice20ptimizedChoice2choice ci) 
choice20ptimizedChoiceauxl±l’2choice c true c’ b’ y = inj 2 (choice20ptimizedChoice2choice c’ y) 

choice20ptimizedChoiceauxx’2choice : (c : Choice)(6 : Bool)(c J : Choice)(6 J : Bool) 

(x : ChoiceSet (choice20ptimizedChoiceauxx’ c b c’ b’)) 

—> ChoiceSet (c x’ c ’) 

choice20ptimizedChoiceauxx'2choice c false c’ false (x „ x’) = 
choice20ptimizedChoice2choice cx„ choice20ptimizedChoice2choice c’ x’ 
choice20ptimizedChoiceauxx'2choice c false c’true () 
choice20ptimizedChoiceauxx’2choice c true c’ b’ () 

choice20ptimizedChoiceauxSubset2choice : (c : Choi ce)(/: ChoiceSet c —^ Bool)(6 : Bool) 

(x : ChoiceSet (choice20ptimizedChoiceauxSubset c f b)) 
—> ChoiceSet (subset' c f) 

choice20ptimizedChoiceauxSubset2choice cf false x = x 
choice20ptimizedChoiceauxSubset2choice cf true () 


choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 

choice20ptimizedChoice2choice 


: (c : Choice)(a; : ChoiceSet (choice20ptimizedChoice c)) 

—> ChoiceSet c 
(fin x) x\ = X\ 

(c l±J’ ci) x = choice20ptimizedChoiceauxl±l’2choice c (choicelsEmpty 
(choicelsEmpty C\ ) x 

(c x’ ci) x = choice20ptimizedChoiceauxx’2choice c (choicelsEmpty 
(choicelsEmpty ci) x 
(namedElements x) x\ = x\ 

(subset' c f) y = choice20ptimizedChoiceauxSubset2choice cf (choice 
(E' c x) x i = x\ 

(list c l) x i = xi 


A.28 choiceSetUOptimized2.agda 


module choiceSetUOptimized2 where 


o- 


o 
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A.29. choiceSetU0ptimized3.agda 
o-o 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport auxData 
mport dataAuxFunction 
mport choiceSetU 
mport Data.Bool 
mport Data.Nat 

mport Data.Fin renaming (_+_ to to _<F_) 

mport Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

mport Data.Nat.Show renaming (show to showN) 

mport Data.List.Base renaming (map to mapL) 

mport Data.Maybe 

mport Data.Bool.Base 

mport Agda.Builtin.Unit 

mport Data.Product hiding ( _x_ ) 

mport Data.Sum 

mport Data.Empty 

mport Relation. Binary. Propositional Equality 


choice20ptimizedChoice : (c : Choice) —* Choice 
choice20ptimizedChoice c = list c (choice2Enum c) 


choice20ptimizedChoice2choice : (c : Choice) 

(x : ChoiceSet (choice20ptimizedChoice c)) 
—>• ChoiceSet c 

choice20ptimizedChoice2choice c (Ice i) = nth (choice2Enum c) i 


A.29 choiceSetUOptimized3.agda 


module choiceSetUOptimized3 where 

open import auxData 
open import dataAuxFunction 
open import choiceSetU 
open import Data.Bool 
open import Data.Nat 

open import Data.Fin renaming (_+_ to to _<F_) 

open import Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 
open import Data.Nat.Show renaming (show to showN) 
open import Data.List.Base renaming (map to mapL) 

o- 


-o 
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o-o 


open import Data.Maybe 

open import Data.Bool.Base 

open import Agda.Builtin.Unit 

open import Data.Product hiding ( _x_ ) 

open import Data.Sum 

open import Data.Empty 

open import Relation.Binary.PropositionalEquality 

choice20ptimizedChoice : (c : Choice) —>• Choice 
choice20ptimizedChoice c = fin (length (choice2Enum c)) 


choice20ptimizedChoice2choice : (c : Choice) 

(x : ChoiceSet (choice20ptimizedChoice c)) 
—> ChoiceSet c 

choice20ptimizedChoice2choice c i = nth (choice2Enum c) i 


A.30 dataAuxFunction.agda 


--@PREFIX@dataauxf unction 
module dataAuxFunction where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport auxData 
mport Data.Bool 
mport Data.Nat 

mport Agda.Builtin.Nat renaming (_<_ to _<N_; _==_ to _==N_) 
mport Data.Fin renaming (_+_ to to _<F_) 

mport Data.Char renaming (_==_ to _==?_) 
mport Data.Maybe 

mport Data.String renaming (_==_ to _==strb_; _++_ to ,_++s_) 

mport Data.Nat.Show renaming (show to showN) 

mport Data.List.Base renaming (map to mapL) 

mport Data.Sum 

mport Agda.Builtin.Unit 

mport Data.Empty 

mport Data.Product hiding ( _x_ ) 


-i : Set — > Set 


a 
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A.30. dataAuxFunction.agda 
o-o 


-i a = a —v A 


-ib : Bool — y Bool 
-ib true = false 
-ib false = true 


tertiumNonDatur : (b : Bool) — > T b l±l T (-ib b ) 
tertiumNonDatur true = inji tt 
tertiumNonDatur false = inj 2 tt 

transfer : {A : Set} — > (C : A —>■ Set) -> (a a’: A) —?> a == a’ —> C a —>■ C a’ 
transfer C a .a ref I c = c 

projSubset : {A : Set} —>•{/: A —> Bool} —> subset A f —$■ A 

projSubset (sub a x) = a 


_o _ : {ABC: Set} {B ->■ C)->(A^B)^A^C 

{fog) a = f(ga) 

infixr 9 _o_ 


tc 0 : {A B : Set} — > A x B — > A 
tto ( a ,, b) = a 

U! : {A B : Set} —>• A x B —>■ i? 
Hi ( a „ 6) = b 


efq : {A : Set} — >■ Fin 0 — > A 

efq () 


isDigit : Char —y Maybe N 
isDigit ’0’ = just 0 
isDigit ’ 1 ’ = just 1 
isDigit ’2’ = just 2 


o 


-o 
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A. Agda Code 

o-o 


isDigit ’3’ = just 3 
isDigit ’4’ = just 4 
isDigit ’ 5 ’ = just 5 
isDigit ’ 6 ’ = just 6 
isDigit ’7’ = just 7 
isDigit ’8’ = just 8 
isDigit ’ 9 ’ = just 9 
isDigit _ = nothing 

attach : Maybe N — » N — » N 

attach nothing n = n 

attach (just m) n = 10 * m + n 

Quote : List Char — > Maybe (List N) 

Quote xs = parse xs nothing [] 
where 

parse : List Char —* Maybe N —* List N —* Maybe (List N) 
parse [] nothing ns = just ns 
parse [] (just n) ns = just (n :: ns) 
parse (hd :: tl) m ns with isDigit hd, 

... | nothing = nothing 

... | just n = parse tl (just (attach m n)) ns 

stringListToN : String — v Maybe (List N) 
stringListToN xs with Quote (toList xs) 

... | nothing = nothing 

... | just ns = just (reverse ns) 


listNtoN' : List N —> N 
listNtoN’ [] = 0 

listNtoN' (n :: l) = listNtoN’ l * 10 + n 

listNtoN : List N — >• N 
listNtoN l = listNtoN' (reverse l) 

stringToMaybeN : String —y Maybe N 
stringToMaybeN s with (stringListToN s) 
stringToMaybeN s \ just l = just (listNtoN 1) 
stringToMaybeN s \ nothing = nothing 


a 


-o 
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A.30. dataAuxFunction.agda 
o-o 


<NboolTo< : {n m : N } —» T (n <N m) — » n < m 
<NboolTo< {zero} {zero} () 

<NboolTo< {zero} {sue m} p = s<s z<n 
<NboolTo< {sue n} {zero} () 

<NboolTo< {sue n} {sue m } p = s<s (<NboolTo< {n} { m } p) 


sumFin : (n : N) — > (Fin n —> N) — > N 
sumFin zero _ = 0 

sumFin (sue n) /= / zero + sumFin n (/ o sue) 

prodFin : (n : N) —> (Fin n —> N) — > N 
prodFin zero _ = 1 

prodFin (sue n) f = f zero * sumFin n (/ o sue) 


embed : {n : N} —» Fin n —> Fin (sue n) 

embed zero = zero 

embed (sue m) = sue (embed m) 

last : {n : N} —>• Fin (sue n ) 

last {zero} = zero 

last {sue n} = sue (last {n}) 

fin20ptionAux : {n : N} — > String x Fin n —> String x Fin (sue n) 
fin20ptionAux (sir,, k) = (sir,, embed k) 

fin20ption’ : (n : N) —> List (String x Fin n) 

fin20ption' zero = [] 

fin20ption’ (sue n) = (showN n „ last ) :: mapL fin20ptionAux (fin20ption’ n) 

fin20ption : (n : N) —)• List (String x Fin n) 
fin20ption n = reverse (fin20ption' n) 

--@BEGIN@finoption 

fin20ptionO’ : (n : N) — > List (Fin n) 
fin20ptionO’ zero = [] 

fin20ptionO’ (sue n) = last :: mapL embed (fin20ptionO’ n) 


<y 


-o 
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o-o 


fin20ptionO : (n : N) —>■ List (Fin n) 

fin20ptionO n = reverse (fin20ptionO’ n) 


--(SEND 


test = fin20ptionO 5 
test’ = fin20ptionO’ 5 


A.31 div.agda 


--(SPREFIXOdiv 


module div where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 

mport Data.String renaming ( 

mport Data.List 

mport process 

mport auxData 

mport dataAuxFunction 

mport choiceSetU 

mport labelUniv 


=_ to _==strb_; _++_ to _++s_) 


--@BEGIN@DivDef 


mutual 


DIVoo : {i : Size}}/?/ : LUniv} — > {c : Choice} — >■ Processoo i {lu} c 
forcep DIVoo = DIV 
Stroo DIVoo = "DIV" 


DIV : {i : Size}{/i/ : LUniv} —> {c : Choice} —> Process i {lu} c 
DIV = node DIV+ 


a 


DIV+ : {i : Size}{/n : LUniv} —>- {c : Choice} —> Process-F i {lu} c 
DIV+ = (process-F 0’ efq efq T’ (X _ —> DIVoo) 0’ efq "DIV") 


o 
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o-o 


--(SEND 


A.32 efq.agda 

--(SPREFIXOefq 
module efq where 


open import Data.Fin 

- -@BEGIN(Sef qDef 

efq : {A : Set} —>• Fin 0 —» A 
efq () 


--(SEND 


A.33 example.agda 


module example where 


y 

open import Data.Bool hiding (_=_) 

open import Data.Bool.Base renaming (T to T’) hiding (_=_) 
open import libBool 
open import libList 

open import Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

open import Data.List renaming (_++_ to _++l_ ; map to mapL) 

open import labelUniv 

open import Size 

open import process 

open import choiceSetU 

open import choiceFromList 

open import preFix 

open import UnitModule 

--open import simulator 

open import NativelO 


o 


-o 
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A. Agda Code 

o-o 


open import SizedlO.Console hiding (main) 
open import externalChoice 
open import Data.Fin 

7 

open import Data.Nat hiding (_=_) 
open import parallelSimple 
open import interleave 
open import hidingOperator 

-- open import SizedlO.Base renaming (force to forcelO; delay to delaylO) 

{- needed possibly for compilation-} 

--open import SizedlO.Base 
open import renamingResult 
open import dataAuxFunction 
open import Relation.Nullary.Decidable 
open import Data.String 

open import simulatorCutDown hiding (main;transitioni;transition 2 ) 
open import primitiveProcess 
open import choiceAuxFunction 
open import Data.Sum 

open import label renaming (Label to LabelSimple) 
open import UnitModule 

data SIGNAL : Set where 
sigl : SIGNAL -- sig2 

==sig : SIGNAL ->■ SIGNAL ->• Bool 
_ ==sig _ = true 
-- sigl ==sig sigl = true 
-- sig2 ==sig sig2 = true 
-- _ ==sig _ = false 

refl==sig : {s : SIGNAL} — > T’ (s ==sig s) 
refl==sig {sigl} = _ 

-- refl==sig {sig2} = _ 

showSIGNAL : (s : SIGNAL) —y String 

showSIGNAI_ = "" -- "sigl" 

-- showSIGNAL sig2 = "sig2" 


a 


n 
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LabelListSIGNAL : List SIGNAL 
LabelListSIGNAL = [] -- sigl :: sigl :: [] 


symSIGNAL : {IV : SIGNAL} ->• T’ (l ==s\g V) ->• T' {V ==sig l) 
symSIGNAL {sigl} {sigl} _ = _ 

transfSIGNAL : (l l’ : SIGNAL)(Q : SIGNAL ->• Set) ->• T’ (l ==sig V) -> Q l ->■ Q V 
transfSIGNAL sigl sigl Q _ x = x 


open LUniv 
labelSIGNALl : LUniv 

labelSIGNALl = record} Labelf = SIGNAL ; 

_==lf_ = \ssAs ==sig s ’; 

refl==lf = X {/} —> refl==sig {/} ; 

sym==lf = X {s} {A} —>■ symSIGNAL {s} {s ; } ; 

transf = X {s} {s ; } —> transfSIGNAL s s ’; 

showLabelf = showSIGNAL ; 

LabelListf = LabelListSIGNAL} 


-- LUniv.Labelf labelSIGNALl = SIGNAL 

-- LUniv._==lf_ labelSIGNALl s s’ = debug (s ==sig s’) "_==sig 
-- LUniv.refl==lf labelSIGNALl {1> = refl==sig {1} 

-- LUniv.showLabelf labelSIGNALl = showSIGNAL 
-- LUniv.LabelListf labelSIGNALl = LabelListSIGNAL 


labelSIGNAL : LUniv 
labelSIGNAL = labelSIGNALl 

{- start hidden -} 

delay ((lab labc) —» delay (STOP {oo} 
delay ((lab labc) —> delay {{ ({ i)} (SI 


transition! : V i —> Process i {Isimple} setSTOP 
transition! * = (lab laba) — > delay ((lab labb) 

transition 2 : V i —> Process i {Isimple} setSTOP 
transition 2 i = (lab laba) — > delay ((lab labb) 


o 


-o 
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transition^ : Process+ oo {labelSIGNAL} setSTOP 
transition^ = -- lab sigl —s- delay { 00 } (lab sigl —)• 
lab sigl — *+ delay {} (} cx))} (STOP setSTOP) 


delay {} 00 } 


main’ : NativelO Unit 

main' = translatelOConsole (simulator (transitioni cx))) 

Str' : { i : Size} — > {c : Choice} —*■ {lu : LUniv} — >■ Process i { lu } c — > String 
Str' (terminate a) = "testl" -- "terminate("++s choice2Str a ++s")" 
Str’ (node P) = Str+ P 

record testRec : Set where 
field 
a : N 

open testRec 

x : testRec 
ax =3 

y : N 
y = a x 

z = Labelf labelSIGNALl 
mutual 

record LUniv' : Seti where 
constructor luniv' 
inductive 
field 

Labelf : Set 

showLabelf : Labelf —>• String 
eqlf : Bool -- Labelf —> Bool 


data Label' (lu : LUniv’) : Set where 
lab : LUniv’.Labelf lu —> Label’ lu 


a 


o 
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A.33. example.agda 
o-o 

open LUniv' 

const” : SIGNAL — * Bool 
const” = X l — > true 

showSIGNAL’ : SIGNAL —y String 
showSIGNAL’ s = "signal" 

labelSIGNAL1 ’ : LUniv’ 

labelSIGNALl’ = record{ Labelf = SIGNAL ; 

showLabelf = showSIGNAL' ; 

eqlf = true -- const” — A 1 — > true; 

} 


showLabel’ : {lu : LUniv} —>• Label lu —y String 

showLabel’ {lu} (lab x) = LUniv.showLabelf lu x -- showSIGNAL sigl -- -- showLabelSim 
-- showLabel’ {lu}- (lab x) = LUniv.showLabelf lu x -- showLabelSimple 


showLabel” : {lu : LUniv’} — > Label' lu —$■ String 
showLabel” {lu} (lab x) = LUniv’.showLabelf’ lu x 

-- works 

main” : NativelO Unit 

main” = nativePutStrLn (showSIGNAL sigl) 
native»= (A r — > nativeReturn unit) 

-- works 

main3 : NativelO Unit 

main3 = nativePutStrLn (LUniv’.showLabelf labelSIGNALl’ sigl) 

-- doesn’t work 
main4 : NativelO Unit 

main4 = nativePutStrLn (LUniv.showLabelf labelSIGNALl sigl) 
native»= (A r —>• nativeReturn unit) 

main = main4 


o 


-o 
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o-o 


-- transition : V i 4 Process i {labelSIGNALj-setSTOP 

-- transition i = lab sig2 —> delay {i} (lab sig2 —> delay i} (lab sig2 


-- myResultType : Choice 
-- myResultType = setSTOP x’ setSTOP 

-- myProcess : Process oo {labelSIGNAL} myResultType 
-- myProcess = transition! oo I I I transition oo 

end hidden -} 

-- main : NativelO Unit 

-- main = translatelOConsole (simulator myProcess) 


A.34 example2.agda 


module example2 where 

open import Data.String renaming (-==- to ==strb ; _++_ to _++s_) 


record Unit : Set where 
constructor unit 

{-ft COMPILE GHC Unit = data () (()) ft-} 


{-ft FOREIGN GHC import qualified Data.Text ft-} 

{-ft FOREIGN GHC import qualified System.Environment ft-} 


postulate 

NativelO : Set —>• Set 

nativeReturn : { A : Set} —>• A —> NativelO A 

_native»=_ : {A B : Set} —>• NativelO A —» [A —> NativelO B ) —> NativelO B 


{-ft BUILTIN 10 NativelO ft-} 


a 


o 




500 
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o-o 


{-# COMPILE GHC NativelO = type 10 #-} 

{-# COMPILE GHC nativeReturn = (\_ -> return :: a -> 10 a) #-} 

{-# COMPILE GHC _native»=_ = (\_ _ -> (»=) :: 10 a -> (a -> 10 b) -> 10 b) #-} 


postulate 

nativePutStrLn : String —>• NativelO Unit 

{-# COMPILE GHC nativePutStrLn = (\ s -> putStrLn (Data.Text.unpack s)) #-} 


data Bool : Set where 
true false : Bool 


-- mutual is the problem 
-- if mutual is removed compilation works 
-- otherwise compilation doesn’t work 
mutual 

record LUniv : Seti where 
field 

Labelf : Set 

_==lf_ : Labelf — > Labelf — > Bool 
showLabelf : Labelf — > String 
LabelListf : Bool 

open LUniv 


mutual 

data Label (lu : LUniv) : Set where 
lab : Labelf lu —> Label lu 


data SIGNAL : Set where 
sigl : SIGNAL -- sig2 

_==sig_ : SIGNAL ->■ SIGNAL ->■ Bool 
_ ==sig _ = true 


o 


-o 
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showSIGNAL : (s : SIGNAL) — » String 
showSIGNAI_ = "" -- "sigl" 


labelSIGNAL : LUniv 

labelSIGNAL = record{ Labelf = SIGNAL ; 

==lf =^ss'->s ==sig s’ ; 
showLabelf = showSIGNAL ; 

LabelListf = true } -- LabelListSIGNAL} 


showLabel’ : {lu : LUniv} —> Label lu —> String 
showLabel' {lu} (lab x) = LUniv.showLabelf lu x 


main : NativelO Unit 

main = nativePutStrLn (LUniv.showLabelf labelSIGNAL sigl) 
native»= (X r — > nativeReturn unit) 


A.35 example3.agda 


module example3 where 

open import Data.String 
open import UnitModule 
open import NativelO 

data Bool : Set where 
true false : Bool 


mutual 

record L : Setx where 
inductive 
field 


a 
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a : Set 

b : a — >■ String 
c : Bool 

open L 

I : L 

a I = Bool 
b I = A x —> "test" 
c I = true 

main : NativelO Unit 

main = nativePutStrLn (b I true) native»= X r —>■ nativeReturn _ 


A.36 externalChoice.agda 


--@PREFIX@ExternalChoice 


module externalChoice where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport process 
mport choiceSetU 
mport choiceAuxFunction 
mport dataAuxFunction 
mport auxData 
mport renamingResult 
mport Size 

mport Data.String renaming (_++_ to _++s_) 

mport showFunction 

mport Data.Sum 

mport addTick 

mport labelUniv 


_DRes_ : Choice —> Choice — Choice 
c 0 QRes ci = (cq W’ ci) l±l' (c 0 x’ ci) 


a 


-o 
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--@BEGIN@ExtCDef 

_DStr_ : String —>• String —> String 
s DStr s’ = " (" — |—|—s s —I—|—s " □ " ++s s’ — |—|—s ")" 

mutual 

-□oooo_ : {lu : LUniv}{co c\ : Choice} — > {i : Size} 

—> Processoo i {lu} Co —>■ Processoo i {lu} c\ 
—> Processoo i {lu} (c 0 l±J’ c\) 
forcep (P Doooo Q ) = forcep P □ forcep Q 
Stroo (P noooo Q ) = Stroo P DStr Stroo Q 

JHoo+_ : {lu : LUniv}{co c,\ : Choice} —> {i : Size} 

—> Processoo i {lu} cq Process+ i {lu} c\ 
—> Processoo i {lu} (c 0 l±l' Ci) 
forcep (P Doo+ Q ) = forcep P Dp+ Q 

Stroo (P Doo+ Q ) = Stroo P DStr Str+ Q 


_D+oo_ : {lu : LUniv}{c 0 c\ : Choice} — > {i : Size} 

—^ Process+ i {lu} c 0 —> Processoo i {lu} c\ 

—> Processoo i {lu} (c 0 l±l' ci) 
forcep (P D+oo Q ) = P D+p forcep Q 

Stroo (P D+oo Q ) = Str+ P DStr Stroo Q 

: {lu : LUniv}{c 0 C\ : Choice} — > {i : Size} — > Process i {lu} c 0 
Process i {lu} C\ —)■ Process i {lu} (c 0 l±)' ci) 
node P □ Q = P D+p Q 

P □ node Q = P Dp+ Q 

terminate a □ terminate b = 2-/ a b 

_D+p_ : {lu : LUniv}{c 0 C\ : Choice} — > {i : Size} 

—>• Process+ i {lu} Co —> Process i {lu} c\ 

—> Process i {lu} (co ttl’ ci) 

P D+p terminate b = addTimed/ (inj 2 b) (node (fmap+ inji P) ) 

P m+p node Q = node (P □+ Q ) 


a 


o 
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o 


■o 


_D+oo+_ : {lu : LUniv}{c 0 c\ : Choice} — >• {i : Size} 

— > Process+ i {lu} c 0 —>■ Processoo i {lu} C\ 
—> Processoo i {lu} (c 0 l±l' C\) 
forcep (P D+oo+ Q ) = node (P D+p+ forcep Q ) 

Stroo (P n+oo+ Q ) = Str+ P DStr Stroo Q 


_Dp+_ : {lu : LUniv}{c 0 C\ : Choice} —> {i : Size} —> Process i {lu} c 0 
—> Process+ i {lu} c\ — » Process * {lu} (c 0 l±)’ ci) 
terminate a Dp+ Q = addTimed/ (inji a) 

(node (fmap+ inj 2 Q ) ) 

node P Dp+ Q = node (P □+ Q ) 


_□+_ : {lu : LUniv}{co c\ : Choice} —> {i : Size} 

—>• Process+ i {lu} cq —>• Process+ i {lu} c\ 



—)■ Process+ i {lu} (c 0 W’ c\) 

E 

( P °+ Q) 

= E PW' E Q 

Lab 

( P D + Q) (inji x) 

= Lab P x 

Lab 

(P □+ Q) (inj 2 x) 

= Lab Q x 

PE 

(P □+ Q) (inji x) 

= fmapoo inji (PE P x ) 

PE 

(P D + Q) (inj 2 x) 

= fmapoo inj 2 (PE Q x ) 

1 

( P °+ Q) 

= 1 PW 1 Q 

PI 

(P D + Q) (inji c) 

= PI Pc Doo+ Q 

PI 

{P D + Q) (inj 2 c) 

= P n+oo PI Q c 

T 

(P °+ Q) 

= T P\t)' T Q 

PT 

( P □+ Q) (inji c) 

= inji (PT P c ) 

PT 

( P n + Q) (inj 2 c) 

= inj 2 (PT Q c ) 

Str+ (P □+ Q) 

= Str+ P nStr Str+ Q 

_Qoop 

_ : {lu : LUniv}{co 

c± : Choice} — >■ {i : Size} 


— > Processoo 

i {lu} Co —> Process i {lu} C] 


— > Processoo 

i {lu} (c 0 l±)' Ci) 

forcep (P Doop Q) 

= forcep P □ Q 

Stroo 

(P Doop Q) 

= Stroo P DStr Str Q 

-□poo 

_ : {lu : LUniv}{co 

Ci : Choice} —» {i : Size} 


—> Process i {lu} cq —> Processoo i {lu} C] 


a 


-o 




—> Processcx) i {lu} (c 0 l±l' c{) 
forcep (P Dpoo Q ) = P □ forcep Q 

Stroo (P Dpoo Q ) = Str P DStr Stroo Q 


--mm 

JH/p/_ : {lu : LUniv}{c 0 ci : Choice} -/ {i : Size} 

-/ Process+ i {lu} c 0 —> Process i {lu} C\ 

—> Process+ % {lu} (c 0 l±l' Ci) 

P D/p/ terminate b = addTimed/ + (inj 2 b) (fmap+ inji P) 

P D+p+ node Q = (P □++ Q) 

_Dp+p_ : {lu : LUniv}{co c\ : Choice} — > {i : Size} —>• Process i {lu} cq 

— > Process+ i {lu} c\ —> Process i {lu} (co t±J’ c\) 
terminate a dp+p Q = addTimed/ (inji a) 

(node (fmap+ inj 2 Q ) ) 

node P n P+P Q = node (P □++ Q ) 


_DpH— 1 -_ : {lu : LUniv}{c 0 ci : Choice} — > {i : Size} — > Process % {lu} c 0 
—>■ Process+ i {lu} c\ —> Process/ i {lu} (c 0 l±l’ /) 
terminate a Dp++ Q = addTimed/ + (inji a ) 

((fmap+ inj 2 Q) ) 

node P Dp++ Q = (P □++ Q) 


_□++_ : {lu : LUniv}{c 0 ci : Choice} —$■ {i : Size} 
—> Process/ i {lu} Co —> Process/ i {lu} c\ 
—y Process/ i {lu} (c 0 W’ ci) 


E 

(P 

□ // 

Q) 


= E PW E Q 

Lab 

(P 

□ // 

Q) 

(inji x) 

= Lab P x 

Lab 

(P 

□ // 

Q) 

(inj 2 x) 

= Lab Q x 

PE 

(P 

□ // 

Q) 

(inji x ) 

= fmapoo inji (PE P x) 

PE 

(P 

□ // 

Q) 

(inj 2 x) 

= fmapoo inj 2 (PE Q x) 

1 

(P 

□ // 

Q) 


= 1 P\t)' 1 Q 

PI 

(P 

□ // 

Q) 

(inji c) 

= PI Pc Doo// Q 

PI 

(P 

□ // 

Q) 

(inj 2 c) 

= P n/oo/ PI Q c 


O- 


O 
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T (P □++ Q) 

PT (P □++ Q) (inji c) 

PT (P □++ Q) (inj 2 c) 

Str+ (.P □++ Q) 


= T P W T Q 
= inji (PT P c) 

= inj 2 (PT Q c) 

= Str+ P DStr Str+ Q 


_Doo++_ : {lu : LUniv}{c 0 C\ : Choice} —» {i : Size} 

—> Processoo i {lu} c 0 —> Process+ i {lu} c,\ 

—> Processcxo i {lu} (co W ci) 

forcep (P DooTT Q ) = node (forcep P dp++ Q) 

Stroo (P noo++ Q ) = Stroo P DStr Str+ Q 

mutual 

_nwl\lamoooo_Using_,_,_ : {co c\ : Choice} —> {i : Size} 

{lu : LUniv} 

—y Processoo i {lu} Co 
—)• Processoo i {lu} C\ 

—> (Dname : String —* String —> String) 

—> (pfmapLeftName : String —> String) 

—)• (UfmapRightName : String —> String) 

—>• Processoo i {lu} (co W c\) 

forcep (P □wNamoooo Q Using Oname , OfmapLeftName , UfmapRightName ) 

= forcep P DwNam forcep Q Using Uname , □ fmapLeftName , UfmapRightNan 

Stroo (P DwNamoooo Q Using Uname , □ fmapLeftName , UfmapRightName) = Uname 

_nwl\lamoo+_Using_,_,_ : {co c\ : Choice} —> {i : Size} —> {lu : LUniv} 

—y Processoo i {lu} Cq 
—> Process+ i {lu} c\ 

—> (Uname : String —> String —>• String) 

—>■ (□fmapLeftName : String —>■ String) 

—> (UfmapRightName : String —>■ String) 

—> Processoo i {lu} (co t±J’ c\) 

forcep (P DwNamoo+ Q Using Uname , □fmapLeftName , UfmapRightName) 

= forcep P DwNamp+ Q Using Uname , □_fmapLeftName , UfmapRightNi 

Stroo (P □wl\lamoo+ Q Using Uname , □fmapLeftName , UfmapRightName) = Unan 

_nwNamoo++_Using_,_,_ : {c 0 c\ : Choice} —> {i : Size} —> {lu : LUniv} 

—y Processoo i {lu} Cq 
—> Process+ i {lu} c\ 

—> (Uname : String —> String —> String) 


o 


-o 
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—> (DfmapLeftName : String —>■ String) 

—> (DfmapRightName : String —> String) 

—> Processcx) i {lu } (c 0 l±l' ci) 

forcep (P □wNamoo++ Q Using Dname , DfmapLeftName , DfmapRightName ) 

= node (forcep P □wNamp++ Q Using Dname , DfmapLeftName , DfmapRightName) 
Stroo (P □wNamoo++ Q Using Dname , □ frriapLeftNarne , OfmapRightName ) = Oname (Stroo 


_DwNam+oo_Using_,_,_ : {c 0 C\ : Choice} —y {i : Size} — > {lu : LUniv} 

—> Process+ i {lu} Co 
—> Processoo i {lu} c\ 

—)■ (Oname : String —)■ String —>■ String) 

—)■ (OfmapLeftName : String —>■ String) 

—)■ ( UfmapRightName : String —> String) 

—> Processoo i {lu} (c 0 l±J’ ci) 

forcep (P □wNam+oo Q Using Dname , DfmapLeftName , DfmapRightName ) 

= P DwNam+p forcep Q Using Dname , DfmapLeftName , DfmapRightName 
Stroo (P □wNam+oo Q Using Dname , DfmapLeftName , DfmapRightName ) 

= Dname (Str+ P) (Stroo Q) 


--@BEGIN@extchoiceWName 

_DwNam_Using_,_,_ : {c 0 C\ : Choice} — >■ {i : Size} — >■ {lu : LUniv} 

—¥ Process i {lu} c 0 
—> Process i {lu} c\ 

—)• (Dname : String — >• String —> String) 

—> (DfmapLeftName : String —>■ String) 

—> (DfmapRightName : String — >• String) 

—> Process i {lu} (c 0 l±)' C\) 

--SEND 

node P DwNam Q Using Dname , DfmapLeftName , DfmapRightName 

= P DwNam+p Q Using Dname , DfmapLeftName , DfmapRightName 
P DwNam node Q Using Dname , DfmapLeftName , DfmapRightName = 

P □wNamp+ Q Using Dname , DfmapLeftName , DfmapRightName 
terminate a DwNam terminate b Using Dname , DfmapLeftName , DfmapRightName = 2-/ a 

_DwNamp_Using_,_,_ : {c 0 c\ : Choice} —y {i : Size} 

—> {lu : LUniv} 

—> Process i {lu} c 0 
—> Process % {lu} c\ 

—>■ (Dname : String —y String —)■ String) 


a 


-o 
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—> (UfmapLeftName : String —>• String) 

—>• (UfmapRightName : String —>• String) 

—>• Process/ % {lu } (c 0 l±l' Ci) 

node P □wNamp Q Using Dname , UfmapLeftName , DfmapRightNam 

= P DwNam/p/ Q Using Dname , UfmapLeftName , UfmapRightName 
P □wNamp node Q Using Dname , UfmapLeftName , □ fmapRightNam 

= P DwNamp// Q Using □ name , UfmapLeftName , UfmapRightName 
terminate a DwNamp terminate b Using Dname , D fmapLeftName , UfmapRightName 
= 2-/ -|- a b 

_DwNam/p_Using_,_,_ : {co c± : Choice} — > {i : Size} 

—> {lu : LUniv} 

-/ Process/ i {lu} c 0 
—> Process i {lu} c\ 

—> (D name : String — * String —> String) 

—> (D i fmapLeftName : String —> String) 

-/ (UfmapRightName : String — » String) 

-/ Process * {lu} (c 0 l±J’ C \) 

P DwNam+p terminate b Using Dname , D fmapLeftName , OfmapRightName 
= addTimed/ (inj 2 b ) (node(fmapWithName+ D fmapRightName inji P)) 

P DwNam+p node Q Using D name , D fmapLeftName , O fmapRightName 

= node (P DwNam/ Q Using D name , D fmapLeftName , OfmapRightName) 
_DwNam+p+_Using_,_,_ : {c 0 C\ : Choice} — >■ {i : Size} 

—> {lu : LUniv} 

—>■ Process+ i {lu} c 0 
—y Process i {lu} c\ 

—> (Dname : String — * String —* String) 

—> (D i fmapLeftName : String —y String) 

—y (UfmapRightName : String —> String) 

—> Process+ i {lu} (c 0 l±l' ci) 

P DwNam+p+ terminate b Using Dname , OfmapLeftName , OfmapRightName 

= addTimed/ / (inj 2 b) (fmapWithName/ OfmapRightName inji P) 

P DwNam+p+ node Q Using D name , U fmapLeftName , O fmapRightN ame 

= P DwNam// Q Using Dname , U fmapLeftName , OfmapRightName 


_DwNam+oo+_Using_,_,_ : {c 0 ci : Choice} —> {i : Size} —> {lu : LUniv} 
—> Process/ i {lu} cq 
-/ Processoo i {lu} ci 
-/ (Dname : String —* String —» String) 

—t- (D i fmapLeftName : String — y String) 


a 


-o 
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—>• [OfmapRightName : String —>• String) 

—> Processoo i {lu } (c 0 l±l' Ci) 

forcep (P □wNam+oo+ Q Using Oname , OfmapLeftName , nfmapRightN ame) 

= node (P □wNam+p+ forcep Q Using Oname , OfmapLeftName , OfmapRightA 
Stroo (P □wNam+oo+ Q Using □ name , OfmapLeftName , OfmapRightName ) = Oname (Str 


_DwNamp+_Using_,_,_ : {c 0 ci : Choice} —>■ {i : Size} — > {lu : LUniv} 

—>• Process i {lu} c 0 
—y Process+ i {lu} c\ 

—> (Oname : String —)■ String —>■ String) 

—> (OfmapLeftName : String —>■ String) 

—> (OfmapRightName : String —> String) 

—>■ Process i {lu} (c 0 l±)’ Ci) 

terminate a DwNamp+ Q Using Oname , OfmapLeftName , OfmapRightName 
= addTimed/ (inji a) (node (fmapWithName+ OfmapLeftName inj 2 Q ) ) 
node P □wNamp+ Q Using Oname , OfmapLeftName , OfmapRightName 

= node (P □wNam+ Q Using Oname , OfmapLeftName , OfmapRightName ) 


_DwNamp+p_Using_,_,_ : {co c\ : Choice} — > {i : Size} — > {lu : LUniv} 

—> Process i {lu} cq 
—> Process+ i {lu} c\ 

—> (Oname : String — y String —>■ String) 

—y (OfmapLeftName : String —*■ String) 

—>• (OfmapRightName : String —>• String) 

—)■ Process i {lu} (co ttl’ ci) 

terminate a DwNamp+p Q Using Oname , OfmapLeftName , OfmapRightName 

= addTimed/ (injx a) (node (fmapWithName+ OfmapLeftName inj 2 Q ) ) 
node P DwNamp+p Q Using Oname , OfmapLeftName , OfmapRightName 

= node (P DwNam++ Q Using Oname , OfmapLeftName , OfmapRightName) 


_DwNamp++_Using_,_,_ : {c 0 ci : Choice} — > {i : Size} — )■ {lu : LUniv} 

—> Process i {lu} c 0 
Process+ i {lu} c\ 

—> (Oname : String —>• String —> String) 

(OfmapLeftName : String —* String) 

—> (OfmapRightName : String —> String) 

—>• Process+ i {lu} (c 0 l±l’ Ci) 

terminate a □wNamp++ Q Using Oname , OfmapLeftName , OfmapRightName 


a 


o 
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= addTimed/ + (inji a) ((fmapWithName+ UfmapLeftName inj 2 Q ) ) 
node P □wNamp++ Q Using Uname , UfmapLeftName , UfmapRightName 

= P □wl\lam++ Q Using Uname , UfmapLeftName , UfmapRightName 

_DwNam+_Using_,_,_ : {co c\ : Choice} —> {i : Size} —>■ {lu : LUniv} 

—>• Process+ i {lu} cq 
—> Process+ i {lu} C\ 

—)■ (Uname : String — String — String) 

—>• (UfmapLeftName : String —>■ String) 

—>■ (UfmapRightName : String —>■ String) 

—> Process+ i {lu} (c 0 l±l' ci) 


E (P DwNam+ Q Using Dname , UfmapLeftName , UfmapRightName) = E 1 

Lab (P □wNam+ Q Using Uname , UfmapLeftName , UfmapRightName) (injj x) = Lat 

Lab (P □wNam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inj 2 x) = Lat 

PE (P □wNam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inji x) = fm; 

PE (P nwNam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inj 2 x) = fm; 

I (P DwNam+ Q Using Uname , UfmapLeftName , UfmapRightName) = I P 

PI (P □wNam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inji c ) 


= PI Pc □wl\lamoo+ Q Using Uname , UfmapLeftName , UfmapRightName 
PI (P □wl\lam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inj 2 c) 
= P DwNam +00 PI Q c Using Uname , UfmapLeftName , UfmapRightName 


T (P DwNam+ Q Using Uname , UfmapLeftName , UfmapRightName) = T j 

PT (P DwNam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inji c) = inji 

PT (P □wl\lam+ Q Using Uname , UfmapLeftName , UfmapRightName) (inj 2 c) = inj 2 

Str+ (P □wl\lam+ <5 Using Uname , UfmapLeftName , UfmapRightName) = 


_Dwl\lam++_Using_,_,_ : {c 0 Ci : Choice} —» {i : Size} 

—>■ {/u : LUniv} 

—)• Process+ i {lu} c 0 
—)■ Process+ i {/n} ci 
—> (Uname : String —>■ String —>• String) 

—> (UfmapLeftName : String String) 

—>■ ( UfmapRightName : String —>■ String) 

—)■ Process+ i {lu} (c 0 W’ Ci) 

E (P □wl\lam++ Q Using Uname , UfmapLeftName , UfmapRightName) = E 

Lab (P □wl\lam++ Q Using Uname , UfmapLeftName , UfmapRightName) (inji x) = \-i 

Lab (P □wl\lam++ Q Using Uname , UfmapLeftName , UfmapRightName) (inj 2 x) = L^ 

PE (P □wl\lam++ Q Using Dname , UfmapLeftName , UfmapRightName) (inj x x) 

= fmapWithNameoo UfmapLeftName inj x (PE P x) 

PE (P □wl\lam++ Q Using Uname , UfmapLeftName , UfmapRightName) (inj 2 x) 


o 


-o 
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= fmapWithNameoo OfmapRightN ame inj 2 (PE Q x) 

I (P □wNam++ Q Using Oname , OfrnapLeftNarne , □ fmapRightName) = I P l±T I Q 

PI (P □wNam++ Q Using Oname , OfrnapLeftNarne , □ fmapRightName) (injx c) 

= PI Pc □wNamoo++ Q Using Oname , OfrnapLeftNarne , □fmapRightName 
PI (P □wl\lam++ Q Using Oname , OfrnapLeftNarne , a fmapRightName) (inj 2 c) 

= P □wNam+oo+ PI Q c Using Oname , OfmapLeftName , □fmapRightName 
T (P □wl\lam++ Q Using □ name , DfmapLeftName , □ fmapRightName) = T P l±l' T C, 

PT (P □wl\lam++ Q Using Oname , OfrnapLeftNarne , □ fmapRightName) (injx c) = injx (PT F 

PT (P DwNam++ Q Using Oname , OfrnapLeftNarne , OfmapRightName) (inj 2 c) = inj 2 (PT Q 

Str+ (P DwNam++ Q Using Oname , OfrnapLeftNarne , O fmapRightName) = Oname (St 


_DwNamoop_Using_,_,_ : {c 0 Ci : Choice} — )• {i : Size} 

—>■ {lu : LUniv} 

—y Processoo i {lu} Co 
—> Process i {lu} c\ 

(Oname : String —> String —> String) 

—> (OfrnapLeftNarne : String —> String) 

—> (□fmapRightName : String —> String) 

—> Processoo i {lu} (c 0 l±l' ci) 

forcep (P □wNamoop Q Using Oname , OfrnapLeftNarne , OfmapRightName) 

= forcep P DwNam Q Using Oname , OfrnapLeftNarne , OfmapRightName 
Stroo (P □wNamoop Q Using Oname , OfrnapLeftNarne , OfmapRightName) = Oname (Stroc 


_DwNampoo_Using_,_,_ : {co ci : Choice} — y {i : Size} 

—> {lu : LUniv} 

—)• Process i {lu} c 0 

—>■ Processoo i {lu} ci 

—)• (Oname : String —> String — >• String) 

—)■ (OfrnapLeftNarne : String —> String) 

—> (□fmapRightName : String —> String) 

—> Processoo i {lu} (c 0 W’ Ci) 

forcep (P DwNampoo Q Using Oname , OfrnapLeftNarne , OfmapRightName) 

= P DwNam forcep Q Using Oname , OfrnapLeftNarne , OfmapRightName 
Stroo (P DwNampoo Q Using Oname , OfrnapLeftNarne , OfmapRightName) = Oname (Str F 


a 


o 
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A.37 fdi.agda 


--@PREFIX@fdi 
module fdi where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport div 

mport labelUniv 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport Data.Bool.Base renaming (T to T') 

mport Data.Unit 

mport Data.Empty 

mport auxData 


-- defines the definitions which are identical in fdi and fdiModified 


mutual 

--@BEGIN@DivergentProcessinf 

record DivergentProcessoo (i : Siz e){lu : LUniv}(c : Choice) 

(P : Processoo oo { lu } c) : Set where 

coinductive 

field 

forced iv : {j : Size< z}-> DivergentProcess j {lu} c (forcep P) 


--SEND 


--@BEGIN@DivergentProcess 

data DivergentProcess (z : Size){/w : LUniv}(c : Choice) 

: (P : Process oo {lu} c ) —> Set where 
div : (P : Process+ oo c) (divP : DivergentProcess+ i c P) 


<y 


-o 
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—>■ DivergentProcess i c (node P) 


--(SEND 


--(SBEGINGDivergentProcessplus 

data DivergentProcess+ (i : Size) {lu : LUniv}(c : Choice) 

(P : Process-1- oo {lu} c ) : Set where 
div+ : ( int : ChoiceSet (I P)) 

(divP : DivergentProcessoo i c (PI P int)) 

—>■ DivergentProcess+ i c P 


--(SEND 


open DivergentProcessoo public 
- -@BEGIN(SexdivergentProcess 

divDivergent : {i : Size}{/u : LUniv}(c : Choice) —> DivergentProcessoo i c (DIVoo { 00 } {lu} {c}) 
forcediv (divDivergent {z} {lu} c) {j} = div DIV+ (div+ zero (divDivergent {j} {lu} c)) 


--(SEND 


- -@BEGIN(StraceDivergentinf 

data TraceDivergentoo (i : Size){lu : LUniv}(c : Choice) 

(l : List (Label lu)) 

(P : Processoo 00 {lu} c) : Set where 
trdiv : (Q : Process 00 {lu} c) ( trp+ : TrPoo {lu} {c} l (injx Q) P) 
(divp : DivergentProcess i c Q) 

—> TraceDivergentoo i cl P 

--(SEND 


- -@BEGIN(StraceDivergentp 


data TraceDivergent (i : Siz e){lu : LUniv}(c : Choice) 
(l : List (Label lu)) 

(P : Process 00 {lu} c) : Set where 


a 
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trdiv : (Q : Process oo { lu } c) ( trp : TrP { lu } {c} l (inji Q) P) 
(divp : DivergentProcess i c Q) 

—> TraceDivergent i cl P 

--(SEND 


--@BEGIN@traceDivergentplus 

data TraceDivergent+ (z : Size){/zz : LUniv}(c : Choice) 

( l : List (Label lu)) ( P : Process-)- oo {lu} c) : Set where 
trdiv : (Q : Process oo {lu} c)(trp : TrP+ {lu} {c} l (inji Q) P) 

(divp : DivergentProcess i c Q) 

—> TraceDivergent+ i cl P 

--(SEND 


- -@BEGIN(Sstream 

record Stream {i : Size} (X : Set) : Set where 
coinductive 
field 

head : X 

tail : {] : Size< Stream {y} X 


--(SEND 


open Stream public 

cons : {z : Size}{A : Set}(a; : X) (,s : Stream {z} X) — y Stream {} z} X 
head (cons x s) = x 
tail (cons x s) = s 


{- infTr are infinite traces -} 


mutual 

- -@BEGIN(Sinf Traceplus 


o 


-o 
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data infTr+ {z : Size} { lu : LUniv}{c : Choice } 

: ( l : Stream {00} (Label lu)) 

—> (P : Process+ 00 {lu} c) — > Set where 
extc : {P : Process+ 00 {lu} c} 

—> ( l : Stream {00} (Label lu)) 

—y (x : ChoiceSet (E P)) 

—y (T’ (head l ==l Lab P x)) 

—> inflroo {z} {lu}{c} (tail l) (PE P x) 

—>■ infTr+ {z} {/zi}{c} l P 
intc : {P : Process+ 00 {lu} c} 

—)■ ( l : Stream {00} (Label lu)) 

—> (x : ChoiceSet (I P)) 

—> infTroo' {z} l (PI P x) 

—> infTr+ {z} l P 

--SEND 


--@BEGIN@infTracep 

data inflr {z : Size} {lu : LUniv}{c : Choice } : 
(l: Stream {00} (Label lu)) —>■ 

(P : Process 00 {lu} c) —> Set where 
tnode : {/ : Stream {00} (Label lu)} 

—>■ {P : Process+ 00 {lu} c} 

—y infTr+ {z} {lu} {c} l P 
—> infTr {z} {lu} l (node P) 

--SEND 


--@BEGIN@infTraceinf 

record infTroo {z : Size} {lu : LUniv}{c : Choice} 

(l : Stream {00} (Label lu)) 

(P : Processoo 00 {lu} c) : Set where 
coinductive 
field 

forcetP : {j : Size< z}^ infTr {j} l (forcep P) 

infTroo' : {z : Size} {lu : LUniv}{c : Choice} 

(l: Stream {00} (Label lu)) 


a 


o 
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(P : Processoo oo {lu } c) —>■ Set 
infTroo’ {z} {lu} {c} l P = infTr {z} l (forcep P ) 


--(SEND 


open infTroo public 


--(SBEGINGexamplelnfprocess 
-- a —> a —>■ a . . . . 
mutual 

infIPoo : {i : Size} —> {lu : LUniv} —> {c : Choice} —> (l : (Label lu)) —> Processoo i c 
forcep (infIPoo l) = inflP l 

Stroo (infIPoo 1 ) = "inflP" 

inflP : {i : Size} — > {lu : LUniv} — >■ {c : Choice} — > ( l: (Label lu)) —> Process i c 
inflP l = node (inflP+ l) 

inflP-h : {i : Size} — > {lu : LUniv} — > {c : Choice} — )■ (l : (Label lu)) —)• Process- 1 - i c 
E (inflP-|- {z} {c} /) = fin 1 
Lab (inflP+ {z} {c} l) _ = l 
PE (inflP+ {z} {c} l) = infIPoo l 
I (inflP+ {z} {c} 0 = 0 ’ 

PI (inflP+ {z} {c} /) () 

T (inflP-h {z} {c} 1 ) = 0 ’ 

PT (inflP-h {z} {c} 0 () 

Str+ (inflP-h {z} {c} l) = "inflP+ 1 " 

infl : {lu : LUniv}(/ : (Label lu)) —> Stream {oo} (Label lu) 
head (infl l) = l 
tail (infl l) = infl l 


--(SEND 


- -@BEGIN(SexampleInf Trace 


o 


-o 
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mutual 

infTracelnflPoo : {lu : LUniv}{c : Choice}(/ : (Label lu )) —>• infTroo {00} { lu } {c} (infl l) (i nflPoo l) 
forcetP (infTracelnflPoo {lu} {c} l ) {j} = infTracelnflP {lu} {c} l 

infTracelnflP : {lu : LUniv}{c : Choice}(/ : (Label lu)) —* infTr {00} {lu} {c} (infl 1 ) (inflP l) 
infTracelnflP {lu} {c} l = tnode (infTracelnflP+ 1 ) 

infTracelnflP+ : {lu : LUniv}{c : Choice}(/ : (Label lu)) — > infTr+ {00} {lu} {c} (infl l) (inflP+ T) 
infTracelnflP+ {lu} {c} l = extc (infl l) zero (refl==l {lu} {l = /}) (infTracelnflPoo {lu} {c} l) 


--0END 


mutual 

--@BEGIN@processStableInfSch 

stableSchoo : {lu : LUniv}{c : Choice}(P : Processoo 00 {lu} c) —> Set 
stableSchoo P = stableSch (forcep P) 


--(SEND 


--@BEGIN@processStableSch 

stableSch+ : {lu : LUniv}{c : Choice}(F : Process- 1 - 00 {lu} c) — ^ Set 
stableSch+ P = -1 (ChoiceSet (I P)) 

stableSch : {lu : LUniv}{c : Choice}(P : Process 00 {lu} c) — > Set 
stableSch (terminate x) = T 
stableSch (node P) = stableSch+ P 


--(SEND 


--In this def we follow Schneider book Page 172 

-- that a process is stable if it has no tau transitions 

-- where tick events are no tau transitions 

-- the above is Schneider stability. 

-- Roscoe stability wouldmean 

-- stable+ : {c : ChoiceKP : Process+ 00 flu} c) —> Set 


a 
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-- stable+ P = ((int : ChoiceSet (IP)) —} _L ) x 
-- ((t : ChoiceSet (TP)) — > _L ) 

-- stable : {c : Choice}(P : Process oo {lu} c) —)■ Set 
-- stable {c} (terminate x) = _L 
-- stable {c} (node P) = stable+ P 


--(SBEGINGNoTicklfRoscoe 

noTicklfRoscoe-} : {lu : LUniv}{c : Choice}(isi?oscoe : Bool) 

(P : Process-} oo {lu} c ) —>■ Set 
noTicklfRoscoe-} false P = T 
noTicklfRoscoe-} true P = -> (ChoiceSet (T P)) 

noTicklfRoscoe : {lu : LUniv}{c : Choice}(zsi?oscoe : Bool) 

(P : Process oo {lu} c) 

—y Set 

noTicklfRoscoe false (terminate x) = T 

noTicklfRoscoe true (terminate x) = _L 

noTicklfRoscoe isRoscoe (node Q ) = noTicklfRoscoe+ isRoscoe Q 


--(SEND 


mutual 

--@BEGIN@processStableInf 

stableParametrizedoo : {lu : LUniv}{c : Ono\ce}(isRoscoe : Bool) 

(P : Processoo oo {lu} c) —» Set 
stableParametrizedoo b P = stableParametrized b (forcep P) 


--(SEND 


--(SBEGINGprocessStable 

stableParametrized-} : {lu : LUniv}{c : Choice}(zsi?oscoe : Bool) 

(P : Process-} oo {lu} c) —> Set 
stableParametrized-} isRoscoe P = stableSch-} P x 

noTicklfRoscoe-} isRoscoe P 

stableParametrized : {lu : LUniv}{c : Choice}(isi?oscoe : Bool) 


a 
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(P : Process oo { lu } c) —>■ Set 

stableParametrized {c} isRoscoe (terminate x) = -i (T' isRoscoe) 
stableParametrized {c} b (node P ) = stableParametrized-!- b P 


--(SEND 


--(SBEGINGprocessStableUnparametrized 

stableoo : {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c ) —>■ Set 
stableoo P = stableParametrizedoo true P 

stable-!- : {lu : LUniv}{c : Choice}(F : Process+ oo {lu} c ) — > Set 
stable+ P = stableParametrized+ true P 


stable : {lu : LUniv}{c : Choice}(P : Process oo {lu} c ) — y Set 
stable P = stableParametrized true P 


--(SEND 


--@BEGIN@stabToNoInternalChoice 

stabToNolnternal+ : {lu : LUniv}{c : Choice}(P : Process- 1 - oo {lu} c ) 

(stab : stable-)- P) 

—» -i (ChoiceSet (I P)) 

stabToNolnternal+ P (noInterCh ,, notermEv ) intChoice = noInterCh intChoice 


--(SEND 


stabSchNoTicklfRos 2 StablePar+ : {lu : LUniv}{c : Choice}(P : Process- 1 - oo {lu} c ) 

(isRoscoe : Bool) 

(stab : stableSch+ P) 

( notick : noTicklfRoscoe+ isRoscoe P) 

—> stableParametrized-!- isRoscoe P 

stabSchNoTicklfRos 2 StablePar+ P isRoscoe stab notick = stab ,, notick 
--(SBEGINGstabSchNoTicklf RostwoStablePar 

stabSchNoTicklfRos 2 StablePar : {lu : LUniv}{c : Choice}(P : Process oo {lu} c ) 


a 
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stabSchNoTicklfRos2StablePar 

stabSchNoTicklfRos2StablePar 

stabSchNoTicklfRos2StablePar 

stabSchNoTicklfRos2StablePar 


(isRoscoe : Bool) 

(stabSch : stableSch P ) 

(notick : noTicklfRoscoe isRoscoe P) 

—> stableParametrized isRoscoe P 
(terminate x ) false stabSch notick () 

(terminate x) true stabSch () 

(node x) false stabSch notick = stabSch ,, _ 
(node x) true stabSch notick = stabSch ,, notick 


--(SEND 


A.38 fdilmpliesEquivalence.agda 


module fdilmpliesEquivalence where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Sum 

mport renamingResult 

mport lemFmap 

mport auxData 

mport RefWithoutSize 

mport bisimilarity 

mport bisimSImpliesBisimw 

mport bisimilarityProofs 

mport bisimlmpliesTraceEquiv 

mport bisimLemFmap 

mport bisimlmpliesFDI 

mport fdiRefusal 

mport bisimlmpliesBisim 

mport externalChoice 

mport addTick 

mport labelUniv 


o 


-o 
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A.39 fdiOld.agda 


--@PREFIX@fdi 


-- files which were in fdi.agda before renaming fdiCommonNormalAndModified.agda 
-- to fdi 

module fdiOld where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport div 

mport labelUniv 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport Data.Bool.Base renaming (T to T') 

mport Data.Unit 

mport Data.Empty 

mport auxData 


A.40 fdiPart2.agda 


--@PREFIX@mainfdiPartTwo 
module fdiPart2 where 


open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport primitiveProcess 
mport div 
mport Data.Fin 
mport Data.List 
mport Data.Sum 


a 
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open import TraceWithNextProcess 

open import dataAuxFunction 

open import Data.Bool.Base renaming (T to T') 

open import Data.Unit 

open import Data.Maybe 

open import dataAuxFunction 

open import Data.Empty 

open import TraceWithoutSize 

open import RefWithoutSize 

open import auxData 

open import labelUniv 

open import fdi 


--@BEGIN@refusalsinf 

data refusaloo { lu : LUniv}{c : Choice}(P : Processoo oo { lu } c) 

(A : (Label lu) —>• Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 

{tr : TrPoo {lu} {c} [] (inji Q) P) 

( stab : stable Q) 

(Xreject : (l: (Label lu)) — > (T’(X l)) 

->• - 1 (Tr (/ :: []) nothing Q)) 

—> refusaloo P X 

--(SEND 


--@BEGIN@refusalsp 

data refusal {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 

(X : (Label lu) — >■ Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 

( tr : TrP {lu} {c} [] (inji Q) P) 

( stab : stable Q) 

[Xreject : ( l : (Label lu)) —> (T'(X /)) 

-> (Tr (l :: []) nothing Q)) 

—> refusal P X 


O 


o 
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--(SEND 


--(SBEGIN(SrefusalsPlus 

data refusal-F {lu : LUniv}{c : Choice}(P : Process-!- oo { lu } c) 

(A : (Label lu) — > Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 

( tr : TrP+ {lu} {c} [] (inji Q) P) 

( stab : stable Q ) 

(Xreject : (l : (Label lu)) — > (T’(X /)) 

-> -> (Tr (l :: []) nothing Q)) 

—> refusal-1- P X 

--(SEND 


--(SBEGIN(SstableFailureinf 

data stableFailureoo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 
(l : List (Label lu)) 

(A' : (Label lu) — > Bool) : Set where 
stableFp : (Q : Process oo {lu} c) 

(tr : TrPoo {lu} {c} l (inji Q) P) 

(stab : stable Q) 

(refuse : refusal Q X) 

—> stableFailureoo P l X 


--(SEND 


--(SBEGINGstableFailurep 

data stableFailure {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 
(l : List (Label lu)) 

(X : (Label lu) —> Bool) : Set where 
stableFp : (Q : Process oo {lu} c) 

(tr : TrP {lu} {c} l (inji Q) P) 

(stab : stable Q) 

(refuse : refusal Q X) 

—> stableFailure P l X 


a 


o 
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--(SEND 


--(SBEGINGstableFailurePlus 

data stableFailure+ {lu : LUniv}{c : Choice}(P : Process-F oo { lu } c) 

( l : List (Label lu)) 

{X : (Label lu) —> Bool) : Set where 
stableFp : (Q : Process oo {lu} c) 

(tr : TrP+ {lu} {c} l (inji Q) P) 

(stab : stable Q) 

(refuse : refusal Q X) 

—> stableFailure-P P l X 

--(SEND 


--(SBEGIN(Sf ailureinf 

data failureoo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 
(l : List (Label lu)) 

(X : (Label lu) Bool) : Set where 
stableFail : stableFailureoo P l X 
—>• failureoo P l X 

divergentFailure : TraceDivergentoo oo c l P 
—>• failureoo P l X 


--(SEND 


--<SBEGIN<Sf ailurePlus 

data failure+ {lu : LUniv}{c : Choice}(P : Process-F oo {lu} c) 
(l : List (Label lu)) 

{X : (Label lu) —¥ Bool) : Set where 
stableFail : stableFailure-P PI X 
—> failure-F P l X 

divergentFailure : TraceDivergent-p oo cl P 
—y failure-F P l X 


--(SEND 


o 


-o 
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--(SBEGINGfailurep 

data failure {lu : LUniv}{c : Choice}(P : Process oo { lu } c) 
( l : List (Label lu)) 

(A' : (Label lu) — > Bool) : Set where 
stableFail : stableFailure P l X 
—> failure P l X 

divergentFailure : TraceDivergent oo c l P 
—> failure P l X 


--(SEND 


--(SBEGINGSFRP 

_Csf x _ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

(Q : Process oo {lu} c) — * Set 

_Csfi_ {lu}{c} P Q = (l: List (Label lu)) ( X : (Label lu) —> Bool) 
—> stableFailure Q l X 
—>• stableFailure P l X 

--(SEND 


--@BEGIN@SFRPlus 

□sf] + : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c) 

(Q : Process+ oo {lu} c) — > Set 

_Csf]+_ {lu} {c} P Q = (/: List (Label lu)) (A : (Label lu) —» Bool) 

stableFailure+ Q l X 
—>■ stableFailure-!- P l X 


--(SEND 


--(SBEGIN(SSFRinf 

_Csfxoo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 

(Q : Processoo oo {lu} c) —> Set 

_Csfxoo_ {lu} {c} P Q = (/: List (Label lu)) (X : (Label lu) —> Bool) 


a 
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—» stableFailurecx) Q l X 
—> stableFailurecx) P l X 

--SEND 


--(SBEGINGSF 

_Csf_ : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 
(Q : Process oo {lu} c) —> Set 
P Csf Q = (P C Q) x (P Csfi Q) 


--SEND 


--@BEGIN@fdi 

□fdi | : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 

(Q : Process oo {lu} c) Set 

_Cfdi L _ {lu} {c} P Q = (/: List (Label lu)) —> TraceDivergent oo cl Q 

—>• TraceDivergent oo cl P 

--(SEND 


--@BEGIN@fdit 

_Cfdi 2 - : {lu : LUniv}{c : Choice} ( P : Process oo {lu} c) 

(Q : Process oo {lu} c) Set 

_Cfdi 2 _ {lu} {c} P Q = (/: List (Label lu))(X : (Label lu) —> Bool) 

—)• stableFailure Q l X —>• stableFailure P l X 

_Cfdi 2 +_ : {lu : LUniv}{c : Choice} (P : Process-1- oo {lu} c) 

(Q : Process-F oo {lu} c) —>■ Set 

_Cfdi 2 +_ {lu} {c} P Q = (/: List (Label lu))(X : (Label lu) —>■ Bool) 

—>• stableFailure+ Q l X —)■ stableFailure+ P l X 

_Cfdi 2 oo_ : {lu : LUniv}{c : Choice} ( P : Processoo oo {lu} c) 

(Q : Processoo oo {lu} c) —> Set 

_Cfdi 2 oo_ {lu} {c} P Q = (/: List (Label lu))(X : (Label lu) —> Bool) 

—>• stableFailureoo Q l X ^ stableFailureoo P l X 


--(SEND 


o 


-o 
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--@BEGIN@fdiref 

_Cfdi_ : {lu : LUniv}{c : Choice} ( P : Process oo { lu } c) 

( Q : Process oo {lu} c ) — > Set 
P Cfdi Q = ((P C Q) x (. P Cfdii Q)) x (P Cfdi 2 Q) 

_=fdi_ : {lu : LUniv}{c 0 : Choice} — > (P Q : Process oo {lu} Co) —> Set 
P =fdi Q = (P Cfdi Q) x (Q Cfdi P) 


--0END 


A.41 fdiRefusal.agda 


--@PREFIX@mainfdiRefusal 
module fd i Refusal where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport primitiveProcess 

mport div 

mport labelUniv 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport TraceWithNextProcess 

mport dataAuxFunction 

mport Data.Bool.Base renaming (T to T’) 

mport Data.Unit 

mport Data.Maybe 

mport dataAuxFunction 

mport Data.Empty 

mport TraceWithoutSize 

mport RefWithoutSize 

mport auxData 


a 


Cl 
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open import fdi 


528 

o— 


--In this def we follow Schneider book Page 172 

-- that a process is stable if it has no tau transitions 

-- where tick events are no tau transitions 


-- if we had Q : Process+ 

-- then we could write 

-- Xrecject : (e : E Q) -> —■ (T 5 (X ((Label lu) Q e))) 

-- however Q : Process 
-- but you can define 

- Ep : Process -> ChoiceSet 

-- Ep (terminate a) = emptyset 
-- Ep (node Q) = E Q 

-- same for (Label lu) 

- labelp : (Q : Process) -> ChoiceSet (Ep Q) -> (Label lu) 

-- labelp (terminate a) () 

-- labelp (node Q) a = label Q a 


-- dRefusal for direct refusal 
--@BEGIN@NoExtChInX 

NoExtChlnX : {lu : LUniv}{c : Choice}(Q : Process-P oo c) 

(X : (Label lu) —> Bool) 

—y Set 

NoExtChlnX Q X = (e : ChoiceSet (E Q )) —>• -i (T’(X (Lab Q e))) 


--(SEND 


--@BEGIN@NoTicksIfIsRoscoe 


a 
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NoTicksIflsRoscoe : {lu : LUniv}{c : Choice}(Q : Process-1- oo { lu } c) 

[isRoscoe : Bool) 

—^ Set 

NoTicksIflsRoscoe Q isRoscoe = (ticklslncl : T’ isRoscoe ) 

—» -i (ChoiceSet (T Q )) 


--(SEND 


--@BEGIN(SDRef usal 

data DRefusal+ {lu : LUniv}{c : Choice}(Q : Process-1- oo {lu} c ) 
[isRoscoe : Bool) 

[X : (Label lu) —$■ Bool) : Set where 
drefusal : ( noextChlnX : NoExtChlnX Q X) 

[noTerm : NoTicksIflsRoscoe Q isRoscoe) 

—> DRefusal+ Q isRoscoe X 

DRefusal : {lu : LUniv}{c : Choice}(Q : Process oo {lu} c) 

( isRoscoe : Bool) 

(X : (Label lu) —> Bool) — y Set 
DRefusal {lu}{c} (terminate x) isRoscoe X = -> (T' isRoscoe) 

DRefusal {lu}{c} (node x) isRoscoe X = DRefusal+ {lu}{c} x isRoscoe X 


DRefusaloo : {lu : LUniv}{c : Choice}(<5 : Processoo oo {lu} c) 

(isRoscoe : Bool) 

(A : (Label lu) —> Bool) —» Set 

D Refusal oo {lu}{c} Q isRoscoe X = DRefusal {lu}{c} (forcep Q) isRoscoe X 


--(SEND 


-- old version: 

-- (Xreject : (1 : (Label lu)) -> (T’(X D) 

(Tr (1 :: []) nothing Q)) 

-- (terreject : (T’ isRoscoe) 

-- — y (x : ChoiceSet c) 

-- -t -> (Tr [] (just x) Q)) 

-- if Q is stable the two definitions should be equivalent 


a 


o 




530 


A.41. fdiRefusal.agda 

o-o 


-- -- Old versions of refusal with commented out code which is now left out 

-- data refusal {lu : LUniv}{c : Choice}(P : Process oo {lu} c) (isRoscoe : 
-- (X : (Label lu) —> Bool) : Set where 
-- refusalp : (Q : Process oo {lu} c) 

-- (tr : TrP {lu}{c> [] (inji Q) P) 

-- (stab : stable Q) 

-- (drefuse : DRefusal Q isRoscoe X) 

-- {- (Xreject : (1 : (Label lu)) (T’(X 1)) 

(Tr (1 :: []) nothing Q)) 

-- (terreject : (T’ isRoscoe) 

-- — > (x : ChoiceSet c) 

(Tr [] (just x) Q))-} 

-- — > refusal P isRoscoe X 


-- data refusal+ {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c)(isRoscoe 
-- (X : (Label lu) —>■ Bool) : Set where 
-- refusalp : (Q : Process oo {lu} c) 

-- (tr : TrP+ {lu}{c} [] (inji Q) P) 

-- (stab : stable Q) 

-- (drefuse : DRefusal Q isRoscoe X) 

-- {- (Xreject : (1 : (Label lu)) ->• (T’(X 1)) 

(Tr (1 :: []) nothing Q)) 

-- (terreject : (T’ isRoscoe) 

-- —> (x : ChoiceSet c) 

(Tr [] (just x) Q))-} 

-- —y refusal+ P isRoscoe X 


-- data refusaloo {lu : LUnivMc : Choice}(P : Processoo oo {lu} c)(isRosco 
-- (X : (Label lu) —* Bool) : Set where 
-- refusalp : (Q : Process oo {lu} c) 

-- (tr : TrPoo {lu}{c} [] (inji Q) P) 

-- (stab : stable Q) 

-- (drefuse : DRefusal Q isRoscoe X) 
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-- {- (Xreject : (1 : (Label lu)) (T’(X 1)) 

(Tr (1 :: []) nothing Q)) 

-- (terreject : (T’ isRoscoe) 

-- —> (x : ChoiceSet c) 

(Tr [] (just x) Q)) 

- -> 

-- — > refusaloo P isRoscoe X 


--(SBEGINGrefusalsp 

data refusal {lu : LUniv}{c : Choice}(P : Process oo {lu} c)(isRoscoe : Bool) 
(A : (Label lu) — > Bool) : Set where 
refusalp : (Q : Process oo {lu} c ) 

(tr : TrP {/?/}{r;} [] (inji 0) P) 

(stab : stable Q ) 

( drefuse : DRefusal Q isRoscoe X) 

—> refusal P isRoscoe X 

--(SEND 


--@BEGIN@refusalsPlus 

data refusal-!- {lu : LUniv}{c : Choice}(P : Process-1- oo {lu} c)(isRoscoe : Bool) 
(A : (Label lu) — > Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 

(tr : TrP+ {Zn}{c} [] (inji Q) P) 

(stab : stable Q) 

(drefuse : DRefusal Q isRoscoe X) 

—>■ refusal-1- P isRoscoe X 

--(SEND 


--(SBEGINGrefusalsinf 

data refusaloo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c)(isRoscoe : Bool) 
(A : (Label lu) —> Bool) : Set where 
refusalp : (Q : Process oo {lu} c) 


a 
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( tr : TrPcx) { lu}{c } [] (inji Q ) P ) 

(stab : stable Q ) 

( drefuse : DRefusal Q isRoscoe X) 

—>■ refusalcx) P isRoscoe X 

--(SEND 
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--@BEGIN(SstableFailureinf 

data stableFailurecx) {/u : LUniv}{c : Choice}(F : Processoo oo { lu } c) 
(Z: List (Label lu)) 

[isRoscoe : Bool) 

(A': (Label lu) —> Bool) : Set where 
stableFp : (Q : Process oo {lu} c) 

(tr : TrPoo {lu}{c} l (injx Q) P ) 

(stab : stable Q) 

( drefuse : DRefusal Q isRoscoe X) 

—> stableFailureoo P l isRoscoe X 


--(SEND 


--(SBEGIN(SstableFailurep 

data stableFailure {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 
(l : List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) — > Bool) : Set where 
stableFp : (Q : Process oo {lu} c) 

(tr : TrP {lu}{c} l (inji Q) P) 

(stab : stable Q) 

(drefuse : DRefusal Q isRoscoe X) 

—» stableFailure P l isRoscoe X 


--(SEND 


--<SBEGIN(SstableFailurePlus 

data stableFailure+ {lu : LUniv}{c : Choice}(P : Process-F oo {lu} c) 
(l : List (Label lu)) 

(isRoscoe : Bool) 
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(A' : (Label lu ) — >■ Bool) : Set where 
stableFp : (Q : Process oo {lu} c ) 

(tr : TrP+ { lu}{c } l (inji Q) P) 

(stab : stable Q ) 

( drefuse : DRefusal Q isRoscoe X) 
—> stableFailure+ P l isRoscoe X 


--SEND 


--<SBEGIN<Sfailureinf 

data failureoo {lu : LUniv}{c : Choice}(P : Processcxa oo {lu} c ) 
(l : List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) —$■ Bool) : Set where 
stableFail : stableFailureoo P l isRoscoe X 
— y failureoo P l isRoscoe X 
divergentFailure : TraceDivergentoo oo c l P 

— y failureoo P l isRoscoe X 


--(SEND 


--@BEGIN@failurePlus 

data failure+ {lu : LUniv}{c : Choice}(P : Process-F oo {lu} c) 
( l : List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) — y Bool) : Set where 
stableFail : stableFailure-P P l isRoscoe X 
—> failure-F P l isRoscoe X 
divergentFailure : TraceDivergent+ oo c l P 

—> failure-F P l isRoscoe X 


--(SEND 


--(SBEGIN(Sf ailurep 


data failure 


a 


{lu : LUniv}{c : Choice}(P : Process oo {lu} c) 
(l : List (Label lu)) 
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(isRoscoe : Bool) 

(X : (Label lu) —>• Bool) : Set where 
stableFail : stableFailure P l isRoscoe X 
— y failure P l isRoscoe X 
divergentFailure : TraceDivergent oo c l P 

— y failure P l isRoscoe X 


--SEND 


--OBEGINOSFRP 

_Csfi_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 

(Q : Process oo {lu} c ) —>■ Set 

_Csfi_ {lu}{c} P Q = (/: List (Label lu)) (X : (Label lu) —» Bool) 

—> stableFailure Q l true X 
—> stableFailure P l true X 


--@END 


--OBEGINOSFRPlus 

_Csf, +_ : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c) 

( Q : Process+ oo {lu} c) —> Set 

_Csf, +_ {lu} {c} P Q = (/: List (Label lu)) (X : (Label lu) —> Bool) 

—>• stableFailure+ Q l true X 
—>■ stableFailure+ P l true X 


--0END 


--OBEGINGSFRinf 

_Csfioo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 

( Q : Processoo oo {lu} c) —> Set 

_Csf! 00 _ {lu} {c} P Q = (/: List (Label lu)) (X : (Label lu) —> Bool) 

—> stableFailureoo Q l true X 
—> stableFailureoo P l true X 


--@END 


--OBEGINOSF 


o 
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_Csf_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 

(Q : Process oo {lu} c ) —>■ Set 
P Esf Q = {P E Q) x {P Csfi <5) 

_=sf_ : {/« : LUniv}{c : Choice} (P : Process oo {lu} c ) 

(<5 : Process oo {lu} c) — » Set 
P =sf Q = (P Csf <5) x (<5 Esf -P) 


--(SEND 


_Csf+_ : {/n : LUniv}{c : Choice} (P : Process-|- oo {lu} c ) 
(Q : Process-1- oo {lu} c ) —>■ Set 

P Csf+ Q = {P E+ Q) x (-P Csfi+ Q ) 

_Csfoo_ : {/n : LUniv}{c : Choice} (P : Processoo oo {/n} c) 
(<5 : Processoo oo {lu} c ) —* Set 
P Csfoo Q = (P Coo Q ) x (P Csfxoo Q ) 


_=sf+_ : {/n : LUniv}{c : Choice} (P : Process-1- oo {lu} c ) 

(Q : Process-P oo {lu} c ) —> Set 
P =sf+ Q = (P Csf-P Q) x {Q Csf-p P) 

_=sfoo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c ) 
(Q : Processoo oo {lu} c) —> Set 
P =sfoo Q = (P Csfoo Q) x (Q Csfoo P) 


-- data TraceDivergentNoTroo (i : Size){lu : LUnivdCc : Choice) 

-- (P : Processoo oo {lu} c) : Set where 
-- trdiv : (Q : Process oo {lu} c) 

-- (trp+ : TrPoo {lu}{c} 1 (inji Q) P) 

-- (divp : DivergentProcess i c Q) 

-- — y TraceDivergentNoTroo i c 1 P 

-- data TraceDivergentNoTr (i : Size){lu : LUniv}(c : Choice)(1 : List (Label li 
-- (P : Process oo {lu} c) : Set where 


a 


o 





536 


A.41. fdiRefusal.agda 

o-o 


-- trdiv : (Q : Process oo {lu} c) 
-- (trp : TrP {lu}{c} 1 (inR Q) P) 
-- (divp : DivergentProcess i c Q) 
-- —> TraceDivergentNoTr i c 1 P 


-- data TraceDivergentNoTr+ (i : Size){lu : LUniv}(c : Choice 
-- (P : Process+ oo {lu}- c) : Set where 
-- trdiv : (Q : Process oo {luj- c) 

-- (trp : TrP+ {lu}{c}- 1 (inji Q) P) 

-- (divp : DivergentProcess i c Q) 

TraceDivergentNoTr+ i c 1 P 


data stableFailureNoTroo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c ) 
(isRoscoe : Bool) 

(X : (Label lu) —> Bool) : Set where 
stableFp : ( stab : stableoo P) 

(refuse : refusaloo P isRoscoe X) 

—> stableFailureNoTroo P isRoscoe X 


data stableFailureNoTr {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 
[isRoscoe : Bool) 

(X : (Label lu) —> Bool) : Set where 
stableFp : ( stab : stable P) 

(refuse : refusal P isRoscoe X) 

—> stableFailureNoTr P isRoscoe X 


data stableFailureNoTr+ {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c) 
{isRoscoe : Bool) 

[X : (Label lu) — > Bool) : Set where 
stableFp : (stab : stable+ P) 

(refuse : refusal+ P isRoscoe X) 

—> stableFailureNoTr+ P isRoscoe X 


data failureNoTroo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 
(isRoscoe : Bool) 
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(A' : (Label lu ) —>■ Bool) : Set where 
stableFail : stableFailureNoTroo P isRoscoe X 
—> failureNoTrcx) P isRoscoe X 
divergentFailure : DivergentProcesscx) oo {lu} c P 
— y failureNoTroo P isRoscoe X 


data failureNoTr+ {lu : LUniv}{c : Choice}(F : Process+ oo {lu} c) 
(isRoscoe : Bool) 

{X : (Label lu) — > Bool) : Set where 
stableFail : stableFailureNoTr+ P isRoscoe X 
—> failureNoTr+ P isRoscoe X 
divergentFailure : DivergentProcess+ oo {lu} c P 

—>■ failure NoTr+ P isRoscoe X 


data failureNoTr {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 
(isRoscoe : Bool) 

(X : (Label lu) — y Bool) : Set where 
stableFail : stableFailureNoTr P isRoscoe X 
—>■ failureNoTr P isRoscoe X 
divergentFailure : DivergentProcess oo {lu} c P 

—>• failureNoTr P isRoscoe X 


data failureWithTroo {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 
(l : List (Label lu)) 

(isRoscoe : Bool) 

(A : (Label lu) — > Bool) : Set where 
failWithTr : (Q : Process oo {lu} c) 

(fail : failureNoTr Q isRoscoe X) 

(tr : TrPoo l (inji Q) P) 

—> failureWithTroo P l isRoscoe X 


data failureWithTr {lu : LUniv}{c : Choice}(P : Process oo {lu} c) 
(l : List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) —$■ Bool) : Set where 
failWithTr : (Q : Process oo {lu} c) 

(fail : failureNoTr Q isRoscoe X) 
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(tr : TrP l (inji Q) P ) 

—>■ failureWithTr P l isRoscoe X 


data failureWithTr+ {lu : LUniv}{c : Choice}(P : Process+ oo { lu } c) 
(l: List (Label lu)) 

(isRoscoe : Bool) 

(X: (Label lu) —> Bool) : Set where 
failWithTr : (Q : Process oo {lu} c) 

(fail : failureNoTr Q isRoscoe X) 

(tr : TrP+ l (inji Q) P) 

—> failureWithTr+ P l isRoscoe X 


data stableFailureWithTroo {lu : LUniv}{c : Choice}(F : Processoo oo {lu} c) 
(l: List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) —> Bool) : Set where 
stableFailWithTr : (Q : Process oo {lu} c) 

(fail : stableFailureNoTr Q isRoscoe X) 

(tr : TrPoo l (inji Q) P) 

—> stableFailureWithTroo P l isRoscoe X 


data stableFailureWithTr {lu : LUniv}{c : Choice}(.P : Process oo {lu} c) 
(l : List (Label lu)) 

(isRoscoe : Bool) 

(X : (Label lu) —> Bool) : Set where 
stableFailWithTr : (Q : Process oo {lu} c) 

(fail : stableFailureNoTr Q isRoscoe X) 

(tr : TrP l (inji Q) P) 

—> stableFailureWithTr P l isRoscoe X 


data stableFailureWithTr+ {lu : LUniv}{c : Choice}(P : Process+ oo {lu} c) 
(l : List (Label lu)) 

(isRoscoe : Bool) 

(X: (Label lu) —> Bool) : Set where 
stableFailWithTr : (Q : Process oo {lu} c) 

(fail : stableFailureNoTr Q isRoscoe X) 

(tr : TrP+ l (inji Q) P) 


O- 
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—> stableFailureWithTr+ P l isRoscoe X 


--@BEGIN@fdi 

Cfdii : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 
(Q : Process oo {lu} c ) —> Set 
{lu}{c} P Q = (/: List (Label lu)) 

—)■ TraceDivergent oo cl Q 
—* TraceDivergent oo c l P 


--SEND 


_Cfdi 1 +_ : {lu : LUniv}{c : Choice} ( P : Process+ oo {lu} c) 
( Q : Process+ oo {lu} c) —>• Set 
_Cfdii+_ {lu}{c} P Q = (l List (Label lu)) 

—> TraceDivergent+ oo cl Q 
—>■ TraceDivergent+ oo cl P 


_Cfdiioo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 
( Q : Processoo oo {lu} c) —> Set 
_CfdiiOO_ {lu}{c} P Q = (l : List (Label lu)) 

—>• TraceDivergentoo oo cl Q 
—>• TraceDivergentoo oo c l P 


--OBEGINOfdit 

_Cfdi 2 ros_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 
( Q : Process oo {lu} c) —>■ Set 
JTfdi 2 ros_ {lu}{c} P Q = (/: List (Label lu)) 

(A : (Label lu) — > Bool) 

—> failure Q l true X 
—> failure P l true X 


--(SEND 


_Cfdi 2 ros+_ : {lu : LUniv}{c : Choice} (P : Process-1- oo {lu} c) 
( Q : Process-1- oo {lu} c) —>• Set 
_Cfdi 2 ros+_ {lu}{c} P Q = (/: List (Label lu)) 


a 


o 




540 


A.41. fdiRefusal.agda 

o-o 


(A : (Label lu ) —» Bool) 
—> failure- 1 - Q l true X 
—> failure+ P l true X 


_Cfdi 2 rosoo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 
( Q : Processoo oo {lu} c ) —>■ Set 
_Cfdi 2 rosoo_ {lu}{c} P Q = (/: List (Label lu)) 

(X : (Label lu) -> Bool) 

—> failureoo Q l true X 
—y failureoo P l true X 

--@BEGIN@fdiInfTraces 

_jZfdi 3 _ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

( Q : Process oo {lu} c) — » Set 
_Cfdi 3 _ {lu}{c} P Q = (/ : Stream {00} (Label lu)) 

( tr : infTr {00} l Q) 

—>■ infTr {00} l P 


--(SEND 


_Cfdi 3 -|-_ : {lu : LUniv}{c : Choice} (P : Process-h 00 {lu} c) 

( Q : Process- 1 - 00 {lu} c) — > Set 
_Cfdi 3 +_ {lu}{c} P Q = (/ : Stream {00} (Label lu)) 

(tr : infTr+ {00} l Q) 

—> infTr+ {00} l P 

_Cfdi 3 oo_ : {lu : LUniv}{c : Choice} (P : Processoo 00 {lu} c) 
( Q : Processoo 00 {lu} c) Set 
_Cfdi 3 oo_ {lu} {c} P Q = (l : Stream {00} (Label lu)) 

(tr : infTroo {00} l Q) 

— y infTroo {00} l P 


--@BEGIN@fdiref 

_Cfdi_ : {lu : LUniv}{c : Choice} (P : Process 00 {lu} c) 
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(Q : Process oo { lu } c) —> Set 

P Cfdi Q = (((P jZ Q) x (P Cfdix Q )) x (P Zfdi 2 ros Q )) x (P Zfdi 3 Q ) 

_=fdi_ : {/u : LUniv}{c 0 : Choice} — >■ (P Q : Process oo {lu} c 0 ) —> Set 
P =fdi Q = (P Cfdi Q) x (Q Cfdi P) 


--0END 


_Cfdi+_ : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c ) 

(Q : Process+ oo {lu} c ) —> Set 

P Cfdi+ Q = (((P C+ Q ) x (P |Zfdii+ Q )) x (P Zfdi 2 ros+ Q )) x (P Zfdi 3 + (J) 

JZfdioo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c ) 

(Q : Processoo oo {lu} c ) —>■ Set 

P Cfdioo Q = ({{P Q) x {P ^fdiioo Q )) x (P □fdi 2 rosoo Q)) x (P Zfdi 3 oo Q ) 

_=fdi+_ : {/zz : LUniv}{c 0 : Choice} —> (P <5 : Process+ oo {/zz} Co) —>■ Set 
P =fdi+ Q = (P Cfdi+ Q) x (Q ^fdi+ P) 

_=fdioo_ : {/zz : Ll)niv}{c 0 : Choice} — >■ (P Q : Processoo oo {/zz} Co) —> Set 
P =fdioo Q = (P Cfdioo Q) x (Q Cfdioo P) 


JZfdi 2 sch_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 
(Q : Process oo {/zz} c) —>• Set 
JZfdi 2 sch_ {/zz}{c} P Q = (/: List (Label /zz)) 

(X : (Label /zz) —> Bool) 

— y failure Q l false X 
—> failure P l false X 

JZfdisch_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 
(Q : Process oo {lu} c ) —> Set 
P Cfdisch Q = ((P □ Q) x (P Cfdij. < 5 )) x (P Zfdi 2 sch < 5 ) 


_Cfdi 2 rosaux_ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c ) 
(Q : Process oo {lu} c ) -» Set 
JZfdi 2 rosaux_ {/zz}{c} PQ = (/: List (Label /zz)) 

(A : (Label /zz) Bool) 
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—> failure Q l true X 
—>■ failure P l true X 


_Cfdiold_ : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 

(Q : Process oo {lu} c) —> Set 
P Cfdiold Q = ((P C Q) x (P Cfdii Q )) x (P Cfdi 2 ros Q) 


_Cfdiooold_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c ) 

(Q : Processoo oo {lu} c ) —> Set 

P Cfdiooold Q = ((P Coo Q) x (P Cfdixoo Q)) x (P Cfdi 2 rosoo Q) 


_Cfdi+old_ : {lu : LUniv}{c : Choice} (P : Process+ oo {lu} c ) 

(Q : Process+ oo {lu} c ) —» Set 

P Cfdi+old Q = ((P C+ Q ) x (P Cfdix+ Q )) x (P Cfdi 2 ros+ Q) 


=fdiold : {/m : LUniv}{c : Choice} (P : Process oo {lu} c ) 

(Q : Process oo {lu} c ) —>■ Set 
P =fdiold Q = (P Cfdiold Q) x {Q (Pfdiold P) 

=fdi+old : {ht : LUniv}{c : Choice} (P : Process+ oo {lu} c ) 
(Q : Process+ oo {lu} c) —» Set 
P =fdi+old Q = (P Cfdi+old x (Q ^fdi+old P) 

_=fdiooold_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 
(Q : Processoo oo {lu} c ) —» Set 
P =fdiooold Q = (P □fdiooold Q) x (Q Cfdiooold P) 


A.42 fdiRefusalPartsRemoved.agda 


module fdiRefusalPartsRemoved where 

open import process 
open import Size 
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open import choiceSetU 

open import primitiveProcess 

open import div 

open import labelUniv 

open import Data.Fin 

open import Data.List 

open import Data.Sum 

open import TraceWithNextProcess 

open import dataAuxFunction 

open import Data.Bool.Base renaming (T to T’) 

open import Data.Unit 

open import Data.Maybe 

open import dataAuxFunction 

open import Data.Empty 

open import TraceWithoutSize 

open import RefWithoutSize 

open import auxData 

open import fdi 

-- in the following represent the refusels in schnieder book. 

data refusalSoo {lu : LUniv}{c : Choice}(P : Processoo oo { lu } c) 

(A': (Label lu) — » Bool) : Set where 
refusalp : (Q : Process oo {lu} c ) 

( tr\ TrPoo {lu}{c} [] (inji Q ) P ) 

(stab : stable Q ) 

(Xreject : (c : ChoiceSet (Ep Q )) —^ -> (T’ (A (Labp Q c)))) 
—)• refusalSoo P X 


A.43 hidingOperator.agda 


--@PREFIX@hiding 

module hidingOperator where 

open import Size 
open import process 

open import Data.Bool renaming (T to Tb) 
open import Data.String.Base 
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open import auxData 
open import dataAuxFunction 
open import choiceSetU 
open import Data.Sum 
open import labelUniv 


--@BEGIN@hidingDef 

HideStr : {lu : LUniv}(/: Label lu —> Bool) — >■ String — > String 
HideStr f str = "Hide " ++ labelBoolFunToString / ++ " " ++ str 

mutual 

Hideoo : {i : Size}{/« : LUniv} — >■ {c : Choice} 

— (hide : Label lu —> Bool) 

—> Processoo i {lu} c 
—i- Processoo i {lu} c 

forcep (Hideoo/ P ) = Hide/ (forcep P) 

Stroo (Hideoo f P) = HideStr / (Stroo P ) 


Hide : {i : Size} — >■ {lu : LUniv} — )■ {c : Choice} 

—*■ (hide : Label lu —>• Bool) 

—> Process i {lu} c 
—*■ Process i {lu} c 

Hide / (node P) = node (Hide+/P) 

Hide / (terminate x) = terminate x 


Hide+ : {i : Size} —>• {lu : LUniv} —> {c : Choice} 

—*■ (hide : Label lu —*■ Bool) — > Process+ i {lu} c 
—*■ Process+ * {lu} c 

E (Hide+ f P) = subset’ (E P) (-<b o (/o (Lab P ))) 

Lab (Hide+ / P) c = Lab P (projSubset c) 

PE (Hide+/P) c = Hideoo / (PE P (projSubset c)) 

I (Hide+/P) = I P tfcl' subset’ (E P) (/ o Lab P) 

PI (Hide+/F) (injx c) = Hideoo/ (PI Pc) 

PI (Hide+ f P) (inj 2 c) = Hideoo / (PE P (projSubset c)) 
T (Hid e+fP) = T P 
PT (Hid e+fP) = PT P 
Str+ (Hide+/F) = HideStr / (Str+ P) 


o 


-o 
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o-o 


--(SEND 


mutual 

HideWithNameoo : {i : Size} —>- {c : Choice} 

—> {lu : LUniv} 

—>- (name : String —>- String) 

—>• (hide : Label lu —> Bool) 

—> Processoo i {lu} c 
—> Processoo i {lu} c 

forcep (HideWithNameoo name f P ) = HideWithName name f ( forcep P ) 

Stroo (HideWithNameoo name f P) = name (Stroo P ) 


HideWithName : {i : Size} —> {c : Choice} 

—> {lu : LUniv} 

—>■ (name : String —>■ String) 

—>• (hide : Label lu —>• Bool) 

—> Process i {lu} c 
—> Process i {lu} c 

HideWithName name f (node P) = node (HideWithName+ name f P ) 

HideWithName name f (terminate x ) = terminate x 


HideWithName+ : {i : Size} —y {c : Choice} — y {lu : LUniv} 

—>• (name : String — >■ String) 

—>• (hide : Label lu —>• Bool) —>• Process-)- i {lu} c 
—)• Process- 1 - z {/n} c 

E (HideWithName+ name f P) = subset’ (E P) (->b o (/o (Lab P))) 

Lab (HideWithName+ name f P) c= Lab P (projSubset c) 

PE (HideWithName+ name f P) c= HideWithNameoo name /(PE P (projSubset c)) 

I (HideWithName+ name f P) = I P l±)’ subset’ (E P) (/ o Lab P) 

PI (HideWithName-)- name f P) (injx c) = HideWithNameoo name /(PI Pc) 

PI (HideWithName-p name f P) (inj 2 c) = HideWithNameoo name /(PE P (projSubset c)) 

T (HideWithName-p name f P) =T P 
PT (HideWithName-p name f P) = PT P 
Str-P (HideWithName-p name f P) = name (Str-P P) 


a 


o 
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o-o 


A. 44 inter leave, agda 


--@PREFIX@interleaving 


module interleave where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport process 
mport choiceSetU 
mport auxData 
mport Data.Sum 

mport Data.String renaming (_++_ to _++s_) 
mport renamingResult 
mport labelUniv 


--@BEGIN@interleavingDef 

_|||Str_ : String — >• String — » String 
s IllStr s’ = s ++s "III" ++s s’ 


mutual 

_ 11 |oo_: {i : Siz e}{lu : LUniv} 

—> {c 0 ci : Choice} 

—y Processoo i {lu} Co 
—> Processoo i {lu} c\ 

—> Processoo i {lu} (c 0 x' ci) 
forcep (P |||oo Q) = forcep P ||| forcep Q 
Stroo (P|||oo Q) = Stroo P 11 |Str Stroo Q 


_j||_ : {i : Size}}/?/ : LUniv} — >■ {c 0 Ci : Choice} — > Process i {lu} c 0 
—>• Process i c\ —> Process i {lu} (c 0 x’ c\) 
node P HI node Q = node (P |||++ Q ) 
terminate a ||| Q = fmap (X b —>• (a ,, b )) Q 

P j|| terminate b = fmap (X a — > (a ,, b)) P 

_j||oo+_ : {/ : Size}}/?/ : LUniv} — » }c 0 C\ : Choice} — » Processoo i {lu} c 0 
—>• Process+ i {lu} ci —> Processoo i {lu} (c 0 x' ci) 


a 


-o 
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o-o 


forcep ( P |||oo+ (?) = node (forcep P |j|p+ Q ) 

Strcx) (P |j |oo+ Q ) = Stroo P 11 1Str Str+ Q 

_|||+oo_ : {i : Size}}/?/ : LUniv} — > {c 0 C\ : Choice} — > Process+ i {lu} c 0 
-+ Processoo i {lu} c\ —)■ Processoo i {lu} (c 0 x’ c\) 
forcep (P IH+oo Q ) = node (P |||+p forcep Q ) 

Stroo (P IH+oo (?) = Str+ P 111 Str Stroo Q 

_|||p+_ : {i : Size}}/?/ : LUniv} —> {c 0 c\ : Choice} —>• Process i {lu} c 0 
—)■ Process+ i {lu} c\ —> Process+ i {lu} (co x' c\) 
terminate a ||jp+ Q = fmap+ (X b —> (a ,, b )) Q 
node P |jjp+ Q = P |j|++ Q 

_|||+p_ : {i : Size}}/?/ : LUniv} — s- {c 0 C\ : Choice} — y Process+ i c 0 
-+ Process i {lu} c,\ —> Process+ i {lu} (c 0 x’ ci) 

P |||+p terminate b = fmap+ (X a -+ (a ,, b)) P 
P jjj+p node Q = P |||++ Q 

-IH++- : {i : Size}}/?/ : LUniv} —> }c 0 C\ : Choice} 

—>■ Process+ i {lu} cq -+ Process+ i {lu} c\ 

—)■ Process+ i {lu} (c 0 x' ci) 

E (P\\\++Q) 

Lab (P jjj++ Q) (injx c) = 

Lab (P jjj++ Q) (inj 2 c) = 

PE (P |||++ (?) (inji c) = 

PE (P|||++ Q ) (inj 2 c) = 

I (P |||++ Q ) = 

PI (P|||++ Q) (inj, c) = 

PI (P|||++ Q) (inj 2 c) = 

T (P|||++ Q) 

PT (P|||++ Q) (c„ ci) = 

Str+ (P 11 |H—|- (?) 


E P l±l’ E (? 

Lab P c 
Lab Q c 

PE Pc 111oo+ Q 
P IH+oo PE Q c 
I PW I Q 
PI P c 111 oo+ Q 
P IH+oo PI Q c 
T P x ’ T Q 
PT P c „ PT Q ci 
Str+ P 1 1 |Str Str+ Q 


_|11poo_ : {i : Size}}/?/ : LUniv} — > }c 0 C\ : Choice} — )■ Process i {lu} c 0 
-+ Processoo i {lu} ci —*■ Processoo i {lu} (c 0 x’ ci) 
forcep (P 1 11 poo (?) = P ||| forcep Q 
Stroo (P 1 11 poo (?) = Str P |||Str Stroo Q 

_|11oop_ : }i : Size}}/?/ : LUniv} — > }c 0 C\ : Choice} — > Processoo i {lu} c 0 
-+ Process i {lu} c\ —> Processoo i {lu} (c 0 x' ci) 


a 


o 
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o-o 


forcep (P 1 1|oop Q ) = forcep P ||| Q 

Stroo (P 1 1|oop Q) = Stroo P |||Str Str Q 

--(SEND 


infixl 10 _||| oo_ 
infixl 10 -ijj- 

mutual 

-|||wNamoo_Using-,_,_ : {i : Size} 

—» {lu : LUniv} 

—> {c 0 ci : Choice} 

—y Processoo i {lu} Co 
—» Processoo i {lu} ci 
—> (///name : String —> String —y String) 

—> (fmapLeftName : ChoiceSet c 0 —» String —>• String) 

—>■ (fmapRightName : ChoiceSet ci —)■ String —*■ String) 

—>■ Processoo i {lu} (co x’ ci) 

forcep (P j||wNamoo Q Using ///name , fmapLeftName , fmapRightName) 

= forcep P |||wl\lam forcep Q Using ///name , fmapLeftName , fmapRightNai 

Stroo (P |||wNamoo Q Using ///name , fmapLeftName , fmapRightName) 

= ///name (Stroo P) (Stroo Q) 


-|||wNam_Using-,-,- : {i : Size} 

—> {lu : LUniv} 

—> {c 0 Ci : Choice} —> Process i {lu} c 0 
—>• Process i {lu} ci 

—>• (///name : String —>■ String —>■ String) 

—>• (fmapLeftName : ChoiceSet Co — > String —> String) 

—>• (fmapRightName : ChoiceSet Ci —> String —>■ String) 

—>• Process i {lu} (c 0 x’ ci) 

node P |||wNam node Q Using ///name , fmapLeftName , fmapRightName 
= node (P 11 1wNam-|--l- Q Using ///name , fmapLeftName , fmapRightName) 
terminate a |||wl\lam Q Using ///name , fmapLeftName , fmapRightName 

= fmapWithName (fmapLeftName a) (X b —» (a ,, b )) Q 
P |||wNam terminate b Using ///name , fmapLeftName , fmapRightName 

= fmapWithName (fmapRightName b) (X a —>• (a ,, b)) P 


a 


-o 
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_|||wNamoo+_Using_,_,_ : {z : Size} — > {lu : LUniv} — >■ {c 0 C\ : Choice} — >• Processoo z {lu } c 0 
—>■ Process+ i {lu} C\ 

—» (///name : String —>■ String —)■ String) 

—>■ (fmapLeftName : ChoiceSet cq —s- String —>■ String) 

—>■ (fmapRightName : ChoiceSet ci —> String — >■ String) 

—> Processoo i {lu} (c 0 x’ ci) 

forcep (P |||wNamoo+ Q Using ///name , fmapLeftName , fmapRightName) 

= node (forcep P |||wNamp+ Q Using ///name , fmapLeftName , fmapRightName) 

Stroo (P |||wNamoo+ Q Using ///name , fmapLeftName , fmapRightName) 

= ///name (Stroo P) (Str+ Q) 

_|||wNam+oo_Using_,_,_ : {i : Size} — )■ {lu : LUniv} — >■ {c 0 C\ : Choice} — > Process+ i {lu} c 0 
—>■ Processoo i {lu} c\ 

—> (///name : String —>• String -> String) 

—>- (fmapLeftName : ChoiceSet c 0 —>• String — >• String) 

—>■ (fmapRightName : ChoiceSet ci -> String —)• String) 

—>- Processoo i {lu} (c 0 x' ci) 

forcep (P |||wNam+oo Q Using ///name , fmapLeftName , fmapRightName) 

= node (P |||wNam+p forcep Q Using ///name , fmapLeftName , fmapRightName) 

Stroo (P |||wNam+oo Q Using ///name , fmapLeftName , fmapRightName) 

= ///name (Str+ P) (Stroo Q) 

_|||wNamp+_Using_,_,_ : {z : Size} — >■ {/n : LUniv} — > {c 0 C\ : Choice} — >■ Process z {lu} c 0 
—)■ Process+ z {/zz} Ci 
—>• (///name : String —s- String — s- String) 

—>■ (fmapLeftName : ChoiceSet cq —> String —^ String) 

—>■ (fmapRightName : ChoiceSet c\ —)• String —>■ String) 

—>- Process+ z {lu} (c 0 x’ ci) 

terminate a |||wNamp+ Q Using ///name , fmapLeftName , fmapRightName 
= fmapWithl\lame+ (fmapLeftName a) (X b —>■ (a„ &)) Q 

node P |||wNamp+ Q Using ///name , fmapLeftName , fmapRightName 
= P ||jwNam++ Q Using ///name , fmapLeftName , fmapRightName 

_|j|wNam+p_Using_,_,_ : {z : Size} — >■ {/n : LUniv} — >■ {c 0 Ci : Choice} — >■ Process+ z {lu} c 0 
—>■ Process z {/n} ci 

—)• (///name : String —> String — »• String) 

—>• (fmapLeftName : ChoiceSet c 0 —» String — >• String) 

—>■ (fmapRightName : ChoiceSet c\ —>■ String —>- String) 

—>■ Process+ z {/n} (c 0 x’ ci) 

P ||jwNam+p terminate b Using ///name , fmapLeftName , fmapRightName = 


a 


o 
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fmapWithName+ (fmapRightName b) (A a —> (a,, b)) P 
P j||wNam+p node Q Using ///name , fmapLeftName , fmapRightName = 

P j|jwNam++ Q Using ///name , fmapLeftName , fmap 

_|||wNam++_Using_,_,_ : {i : Size} —> {lu : LUniv} —>- {c 0 c\ : Choice} 

—;• Process+ i {lu} Co —t Process+ i {lu} c\ 

—> (///name : String — s- String —> String) 

—> (fmapLeftName : ChoiceSet Co —> String —>• String) 

—> (fmapRightName : ChoiceSet ci —>■ String —> String) 

—» Process+ i {lu} (c 0 x’ c±) 

E (P |||wNam++ Q Using ///name , fmapLeftName , fmapRightName ) = E P l±T 

Lab (P |||wNam++ Q Using ///name , fmapLeftName , fmapRightName) (inji c) = Lab P t 

Lab (P |||wNam++ Q Using ///name , fmapLeftName , fmapRightName) (inj 2 c) = Lab Q < 

PE (P |||wNam++ Q Using ///name , fmapLeftName , fmapRightName) (injx c) = 

PE P c |||wNamoo+ Q Using ///name , fmapLeftNam 
PE (P |||wNam++ Q Using ///name , fmapLeftName , fmapRightName) (inj 2 c) = 

P |||wNam+oo PE Q c Using ///name , fmapLeftNam 
I (P |||wNam++ Q Using ///name , fmapLeftName , fmapRightName) = I P l±l' I 

PI (P |||wl\lam++ Q Using ///name , fmapLeftName , fmapRightName) (injx c) = 

PI P c |j|wl\lamoo+ Q Using ///name , fmapLeftName 
PI (P |jjwl\lam++ Q Using ///name , fmapLeftName , fmapRightName) (inj 2 c) = 

P |j|wNam+oo PI Q c Using ///name , fmapLeftName 
T (P |||wl\lam++ Q Using ///name , fmapLeftName , fmapRightName) =TPx' 

PT (P ||jwl\lam++ Q Using ///name , fmapLeftName , fmapRightName) (c ,, Ci) = PT P c 
Str+ (P |||wl\lam++ Q Using ///name , fmapLeftName , fmapRightName) = ///name 


_|||wl\lampoo_Using_,_,_ : {i : Size} — > {lu : LUniv} — > (c 0 C\ : Choice} —» Process « {Zt 
—> Processoo z {/n} C] 

—>• (///name : String — >• String —y String) 

—>• (fmapLeftName : ChoiceSet Co —> String —)■ String) 

—>• (fmapRightName : ChoiceSet c\ —)■ String String) 

— v Processcxi i {lu} (co x' cf) 

forcep (P jjjwNampcxa Q Using ///name , fmapLeftName , fmapRightName) = 

P |||wNam forcep Q Using ///name , fmapLeftName , 
Stroo (P ||jwNampoo Q Using ///name , fmapLeftName , fmapRightName) = ///name (S 

_|||wl\lamoop_Using_,_,_ : {i : Size} — > {lu : LUniv} —» {co ci : Choice} —^ Processoo i 
—> Process i {lu} c\ 

—> (///name : String —* String —y String) 

—>• (fmapLeftName : ChoiceSet cq — > String —> String) 


o 


-o 
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—>■ (fmapRightName : ChoiceSet c\ —> String —>• String) 

—> Processoo i {lu } (c 0 x’ ci) 

forcep (P ||jwl\lamoop Q Using ///name , fmapLeftName , fmapRightName) = 

forcep P |j|wNam Q Using ///name , fmapLeftName , fmapRic, 
Stroo (P j||wNamoop Q Using ///name , fmapLeftName , fmapRightName) = ///name (Stroo P) 


-- infixl 10 _|||wNamoo_ 
-- infixl 10 _|||wNam_ 


mutual 

_||jwoo_ : {i : Size} 

—> {lu : LUniv} 

—> {c 0 ci : Choice} 

—> Processoo i {lu} cq 
—)■ Processoo i {lu} ci 
— > {H/name : String —>■ String —)■ String} 

—>- {fmapLeftName : ChoiceSet Cq —> String —>■ String} 

—>- {fmapRightName : ChoiceSet ci —)■ String —> String} 

—> Processoo i {lu} (c 0 x’ ci) 

_||jwoo_ {*} {lu} {c} {cq} P Q {/Hname}{fmapLeftName}{fmapRightName} = P |||wl\lamoo Q Us 


w_ : {i : Size} 

—> {lu : LUniv} 

—>■ {c 0 ci : Choice} 

—)■ Process i {lu} c 0 
—> Process i {lu} Ci 

—)■ {///name : String —>■ String —>■ String} 

—)• {fmapLeftName : ChoiceSet Co —)• String —> String} 

—>■ {fmapRightName : ChoiceSet ci —> String —> String} 

—>• Process i {lu} (c 0 x’ ci) 

w_ {*} {lu} {c} {c 0 } P Q {//jname}{fmapLeftName}{fmapRightName} = P |||wl\lam Q Using // 


a 


o 
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o-o 


_|||w+_ : {i : Size} 

—> {lu : LUniv} 

—> {c 0 Ci : Choice} 

—* Process+ i {lu} cq 
—> Process+ i {lu} c\ 

— * {///name : String —> String —> String} 

—> {fmapLeftName : ChoiceSet c 0 —> String —> String} 

—> {fmapRightName : ChoiceSet c\ —y String —y String} 

—>■ Process+ i {lu} (c 0 x’ ci) 

_|||w+_ {z} {lu} {c} {cq} P Q {/jjname}{fmapLeftName}{fmapRightName} = P ||jwNam 


A.45 internalChoice.agda 


--OPREFIXOinternalChoice 
module internalChoice where 


open 

import 

Data.String renaming (_==_ to 

_==strb 

open 

import 

Data.List.Base renaming (map to 

mapL) 

open 

import 

Data.Fin 


open 

import 

Size 


open 

import 

choiceSetU 


open 

import 

process 


open 

import 

showFunction 


open 

import 

dataAuxFunction 


open 

import 

labelllniv 



bool : Choice 
bool = fin 2 

if_then_else : {A : Set} —» ChoiceSet bool —> A —> A —> A 
if zero then a else b = a 
if (sue zero) then a else b = b 
if (sue (sue ())) then a else b 


o 


-o 
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--@BEGIN@intDef 

_nStr_ : String — >• String — » String 


s nStr s’ = 

"(" ++S S ++S " 

n 11 — i—(—s s’ 

++s ")" 

_n+ 

-- : {* : 

Size} — > {c : Choice} —>• {lu : 

LUniv} —)■ Processoo i {lu} c 


->■ 

Processoo i {lu} c 

—> Process+ 

i {lu} c 

E 

(P n+ 

Q ) 

= 

0’ 


Lab 

(P n+ 

Q) 0 




PE 

(P n+ 

(?) 0 




1 

(P n+ 

(?) 

= 

fin 2 


PI 

(P n+ 

Q) zero 


P 


PI 

(P n+ 

(?) (sue 

zero) = 

Q 


PI 

(P n+ 

(?) (sue 

(sue ())) 



T 

(P n+ 

(?) 

= 

0’ 


PT 

(P n+ 

<?) 0 




Str-H 

- (P n+ 

■ <?) 

= 

Stroo P nStr Stroo Q 


_n_ : {i : Size} — > { c : Choice} — >• {lu : LUniv} — >■ Processcx) i {lu} c 
—> Processoo i {lu} c —> Process i {lu} c 
P n Q = node (P n+ Q) 

JHoo_ : {i : Size} — > {c : Choice} — > {lu : LUniv} —>• Processoo i {lu} c 
—>■ Processoo i {lu} c —» Processoo (} i) {lu} c 
forcep (P noo Q ) {]} = P n Q 

Stroo (P noo Q) = (Stroo P) nStr (Stroo Q ) 

--0END 


_n+’_ : {i : Size} — >■ {c : Choice} — >• {lu : LUniv} — > Processoo i {lu} c 
—>■ Processoo i {/?/} c —)■ Process+ i {lu} c 
P n+’ Q = process+ 0' efq efq bool (X b —> if b then P else Q ) 0’ efq 
(Stroo P nStr Stroo Q) 


mutual 


a 


o 
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o-o 


IntChoiceStr : {c : Choice} — >■ (/: ChoiceSet c —> String) — >■ String 
IntChoiceStr / = " \t FI \t " ++s choice2Str2Str / 


IntChoiceoo : (i : Size) — >• {c 0 : Choice} — >■ (c : Choice) — > {lu : LUniv} 
—> (PI : ChoiceSet c —>• Processoo i {lu} cq) 

—> Processoo (} i) {lu} c 0 

forcep (IntChoiceoo i c {lu} PI) {)} = IntChoice j c {lu} PI 
Stroo (IntChoiceoo i c PI) = IntChoiceStr (Stroo o PI) 

IntChoice : (* : Size) —*■ {co : Choice} —*■ (c : Choice) — >• {lu : LUniv} 

—> (PI : ChoiceSet c —> Processoo i {lu} cq) 

—y Process i {lu} cq 

IntChoice i c PI = node (lntChoice+ i c PI) 


lntChoice+ : (i : Size) — » {c 0 : Choice} (c : Choice)— > {lu : LUniv} 
—> (P : ChoiceSet c —» Processoo i {lu} c 0 ) 

—> Process+ i {lu} Co 
E (lntChoice+ i c P) = 0’ 

Lab (lntChoice+ i c P) = efq 

PE (lntChoice+ i c P) = efq 

I (lntChoice+ i c P) = c 

PI (lntChoice+ i c P) = P 

T (lntChoice+ i c P) = 0’ 

PT (lntChoice+ i c P) = efq 

Str+ (lntChoice+ i c P) = IntChoiceStr (Stroo o P) 


--(SEND 


A.46 interrupt, agda 


--@PREFIX@interrupting 

module interrupt where 

open import Size 
open import process 
open import choiceSetU 

open import Data.String renaming (_++_ to _++s_) 
open import renamingResult 


o 


-o 
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open import Data.Sum 
open import addTick 
open import labelUniv 

_ARes_ : Choice —>■ Choice —> Choice 
c 0 ARes ci = (c 0 l±l’ ci) l±l' (cq x' ci) 


_AStr_ : String —y String —y String 
s AStr s’ = s ++s " \t A \t " —|—|—s s’ 


--@BEGIN@intrruptDef 
mutual 

_Aoooo_ : {lu : LUniv}{co Ci : Choice} —y {i : Size} 

—>■ Processoo i {lu} Co —> Processoo % {lu} ci 
—> Processoo i {lu} (c 0 l±l' ci) 
forcep (P Aoooo P ’) = forcep P A forcep P’ 

Stroo (P Aoooo P ’) = Stroo P AStr Stroo P’ 

A : {lu : LUniv}{co ci : Choice} —> {i : Size} 

—> Process i {lu} c 0 — > Process i {lu} ci 
—» Process i {lu} (c 0 W’ Ci) 
node PA P’ = P A+p P’ 

P A node P’ = P Ap+ P’ 

terminate a A terminate b = 2-/ a b 


_A+_ : {lu : LUniv}{c 0 Ci : Choice} —$■ {i : Size} 

—>■ Process+ i {lu} c 0 —)■ Process+ i {lu} c\ 
—>• Process+ i {lu} (c 0 W’ ci) 

E (PA+ Q) = E Pl±J’ E Q 

Lab (P A+ Q ) (inji x) = Lab P x 

Lab (P A+ Q ) (inj 2 x) = Lab Q x 

PE ( P A+ Q ) (injx x) = PE P x Aoo+ Q 

PE (P A+ Q ) (inj 2 x) = fmapoo inj 2 (PE Q x) 


a 
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I (P A+ Q) 

PI (P A+ Q) (inj! c) 

PI (P A+ Q) (inj 2 c) 

T (P A+ Q) 

PT (P A+ Q) (inji c) 

PT (P A+ Q) (inj 2 c) 

Str+ (P A+ Q) 


I P i±)’ I Q 

PI Pc Aoo+ Q 

P A+oo PI Q c 

T PW’ T Q 

inji (PT P c) 

inj 2 (PT Q c ) 

Str+ P AStr Str+ Q 


--(SEND 


_Aoo+_ : {lu : LUniv}{c 0 C\ : Choice} — >■ {i : Size} 

—*■ Processes i {lu} c 0 —> Process-1- i {lu} C\ 
—» Processoo i {lu} (c 0 W’ c\) 
forcep (P Acx)+ P’) = forcep P Ap+ P’ 

Stroo (P A 00 + P’) = Stroo P AStr Str+ P’ 

_A+oo_ : {lu : LUniv}{c 0 C\ : Choice} —» {i : Size} 

—>■ Process-1- 1 {lu} c 0 —>■ Processcxo 1 {lu} c\ 
—> Processcxo i {lu} (c 0 W’ C\) 
forcep (P A+oo P’) = P A+p forcep P’ 

Stroo (P A+oo P ) = Str+ P AStr Stroo P’ 

_A+p_ : {lu : LUniv}{co c\ : Choice} —» {i : Size} 

—>• Process+ z {lu} c 0 -+ Process 1 {lu} c\ 

—> Process i {lu} (c 0 W’ Ci) 

P A+p terminate b = add/ (inj 2 b ) 

(node (fmap+ inj x P) ) 

P A+p node P’ = node (P A+ P’) 

_Ap+_ : {lu : LUniv}{co c\ : Choice} — >■ {i : Size} 

—)■ Process z {lu} c 0 —*■ Process+ i {lu} c,\ 
Process 1 {lu} (c 0 W’ c x ) 
terminate a Ap+ P’ = addTimed/ (inji a) 

(node (fmap+ inj 2 P’)) 
node P Ap+ P’ = node (P A+ P’) 


o 


-o 
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A.47 IOExampleScreenShotForTyDePaper2.agda 


module IOExampleScreenShotForTyDePaper2 where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport process 
mport choiceSetU 
mport prefix 
mport primitiveProcess 
mport auxData 
mport simulator 

mport Data.Fin renaming (_+_ to to _<F_) 

mport Data.List 

mport SizedlO.Console hiding (main) 

mport NativelO 

mport externalChoice 

mport interleave 

mport internalChoice 

mport UnitModule 

mport labelUniv 

mport label renaming (Label to LabelSimple) 
mport Data.Bool 


setSTOP : Choice 

setSTOP = namedElements ("STOP" :: []) 

skip : V {*} —>• Processoo i {Isimple} setSTOP 
skip = delay (SKIP (ne zero)) 

processo : V i —> Process i {Isimple} setSTOP 
processo i = lab laba — )• STOPoo setSTOP 

process! : V i —)■ Process i {Isimple} setSTOP 

process! i = lab labb — )-pp (lab laba — >• STOPoo setSTOP ) 


process 2 : V i —* Process i {Isimple} setSTOP 
process 2 i = lab labc —> STOPoo setSTOP 

process 3 : V i —> Process i {Isimple} setSTOP 


a 


-o 
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process 3 z = lab laba —> STOPoo setSTOP 

process 4 : V i —> Process z {Isimpie} setSTOP 
process 4 z = delay (process 2 z) n delay (process 3 z) 

transition 2 : V i — v Process z {Isimple} setSTOP 

transition 2 z = lab laba — > delay {z} (lab labb — > delay z} (lab labc — * delay {{ ('l' z)} (S 

process 5 : V z — > Process z {Isimple} (setSTOP l±)’ (setSTOP ttl’ setSTOP)) 
process 5 z = process 4 i □ (process 4 z □ SKIP (ne zero)) 

--need to fix 

main : NativelO Unit 

main = translatelOConsole (myProgram true (setSTOP l±l' (setSTOP l±l' setSTOP)) (process 5 o 


A.48 IOSeqCom.agda 


module lOSeqCom where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Data.Bool 
mport Size 
mport process 
mport choiceSetU 
mport prefix 
mport primitiveProcess 
mport label 

mport sequentialComposition 
mport simulator 

mport Data.Fin renaming (_+_ to to _<F_) 

mport Data.List 

mport SizedlO.Console hiding (main) 
mport NativelO 
mport UnitModule 
mport labelUniv 

mport label renaming (Label to LabelSimple) 


setSTOP : Choice 


o 


-o 
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setSTOP = namedElements ("STOP" :: []) 

SetSTOP : Set 

SetSTOP = ChoiceSet setSTOP 
setAB : Choice 

setAB = namedElements ("A" :: "B" :: []) 

SetAB : Set 

SetAB = ChoiceSet setAB 

transitioni : V z —> Process z {Isimple} setSTOP 

transition! z = lab laba —)• delay {z} (lab labb —)• delay {} z} (lab labc —)• delay {{ ({ z)} (STOP set 
transition 2 : V z —>■ Process z {Isimple} setSTOP 

transition 2 z = lab laba — >■ delay {z} (lab labb — >■ delay {} z} (lab labc — >■ delay {{ ({ z)} (STOP set 

transition 3 : V z — > Process z {Isimple} setSTOP 

transition 3 * = transition! * ^>= (X x —> delay {z} (transition 2 z)) 


main : NativelO Unit 

main = translatelOConsole (myProgram true (namedElements ("STOP" :: [])) (transition 3 oo)) 


A.49 label.agda 

--@PREFIX@label 
module label where 

--@BEGIN@Labelsimple 

data Label : Set where 
laba labb labc : Label 

--SEND 


a 
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A.50 labelEq.agda 


module labelEq where 

open import label 
open import Data.Bool 

open import Data.Bool.Base renaming (T to T’) 
open import Data.Unit 

_==l_ : Label —> Label —> Bool 
laba ==l laba = true 
labb ==l labb = true 
labc ==l labc = true 
_ ==l _ = false 


refl==l : {/ : Label} —>• T’ (l ==l l ) 
refl==l {laba} = tt 
refl==l {labb} = tt 
refl==l {labc} = tt 

_==l : Label — > Label — > Set 

l ==L r = T’ (/==l V) 


A.51 labelUniv.agda 


--@PREFIX@labelUniv 
module labelUniv where 

open import Data.Bool 

open import Data.Bool.Base renaming (T to T') 
open import Data.String renaming (_++_ to _++s_) 
open import Data.String.Base 
open import Data.List.Base 
open import Data.List 

open import label renaming (Label to LabelSimple) 

open import showLabelP hiding( labelBoolFunToString; labelLabelFunToString ) 

renaming(showLabel to showLabelSimple ; 


o 


-o 
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LabelList to LabelListSimple ) 

open import labelEq hiding (_==l ) 

renaming (_==l_ to _==lsimpl_ ; 

refl==l to refl==lsimple ) 


-- Labelf stands for Labelfield similarly for _==lf_ etc 

--@BEGIN(SLUniv 

record LUniv : Seti 
field 
Labelf 

_==lf_ : 

refl==lf 
sym==lf 
transf 

showLabelf : 

LabelListf : 

--(SEND 

open LUniv public 


mutual 

--(SBEGINGLabel 

data Label (lu : LUniv) : Set where 
lab : LUniv.Labelf lu —>■ Label lu 


where 

Set 

Labelf —> Labelf —> Bool 
{/: Labelf} -> T {l ==lf /) 

{/ V : Labelf} T’ (l ==lf V) ->• T’ {V ==lf l) 
{l V : Labelf} —> (Q : Labelf —>• Set) 

->• T’ (/==lf V) Q l^ Q V 
Labelf — > String 
List Labelf 


--(SEND 


--(SBEGINQEqLabel 

_==l_ : {lu : LUniv} —* Label lu — Label lu —>• Bool 
_==!_ {lu} (lab x ) (lab y) = LUniv._==lf_ lu x y 


a 


o 
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refl==l : {lu : LUniv} {/ : Label lu} —> T' (/ ==l l) 
refl==l {lu} {lab x } = LUniv.refl==lf lu {x} 

sym==l : {lu : LUniv} {/ 1 ’: Label lu} ->■ T’ (l ==\ V) ->• T’ (V ==l l) 
sym==l {lu} {lab x} {lab y} p = LUniv.sym==lf lu {x} {y} p 

transfLu : {lu : LUniv}(Q : Label lu —»• Set) {/ V : Label lu} 

T’ (/ ==l l’) Q l—^ Q V 

transfLu {lu} Q {lab 1} {lab V} IV q = 

LUniv.transf lu {/} {/’} (X x —> Q (lab x)) IV q 

_==l : {lu : LUniv} — >■ Label lu —>■ Label lu —*■ Set 

_==l_ {lu} IV = r (-==1- {lu} l V) 

showLabel : {lu : LUniv} —>• Label lu —> String 
showLabel {lu} (lab x) = LUniv.showLabelf lu x 


LabelList : (lu : LUniv) — > List (Label lu) 

La bel List lu = map (X x —>• lab x) (LUniv. La bel Listf lu) 


labelBoolFunToString : {lu : LUniv} — >• (Label lu —> Bool) — )• String 
labelBoolFunToString {lu} f= unlines (map (showLabel {£?/}) 

(filter / ( La bel List lu))) 

labelLabelFunToString : {lu : LUniv} —* (Label lu —> Label lu) —» String 
labelLabelFunToString {lu} /= "[[" 

++s unlinesWithChosenString ", " 

(map (X l —> showLabel {lu} (/ 1) 

++s " <- " ++s showLabel {lu} T) 

( La bel List lu)) 

++s "]]" 


--(SEND 
open LUniv 

--QBEGINQtrl 


o 


-o 
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trl : {l V \ LabelSimple} — >• (Q : LabelSimple — >• Set) 
—y T' (l ==lsimpl V ) — > Q l —> Q V 
trl {laba} {laba} Q t q = q 
trl {laba} {labb} Q () q 
trl {laba} {labc} Q () q 
trl {labb} {laba} Q () q 
trl {labb} {labb} Q t q = q 
trl {labb} {labc} Q () q 
trl {labc} {laba} Q () q 
trl {labc} {labb} Q () q 
trl {labc} {labc} Q t q = q 


symLabelSimple : {l l’: LabelSimple} — > T’ (l ==lsimpl V ) 
—y T’ [V ==lsimpl l ) 
symLabelSimple {laba} {laba} tt = tt 
symLabelSimple {laba} {labb} () 
symLabelSimple {laba} {labc} () 
symLabelSimple {labb} {laba} () 
symLabelSimple {labb} {labb} tt = tt 
symLabelSimple {labb} {labc} () 
symLabelSimple {labc} {laba} () 
symLabelSimple {labc} {labb} () 
symLabelSimple {labc} {labc} tt = tt 

Isimple : LUniv 
Labelf Isimple = LabelSimple 
_==lf_ Isimple = _==lsimpl_ 
refl==lf Isimple {/} = refl==lsimple {/} 
showLabelf Isimple = showLabelSimple 
LabelListf Isimple = LabelListSimple 
transf Isimple = trl 

sym==lf Isimple {/} {/’} = symLabelSimple {/} {/’} 


--(SEND 


A.52 labelUnivAsPureRecord.agda 


module labelUnivAsPureRecord where 


o- 


o 
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open import Data.Bool 

open import Data.Bool.Base renaming (T to T') 
open import Data.String renaming (_++_ to _++s_) 
open import Data.String.Base 
open import Data.List.Base 
open import Data.List 

open import label renaming (Label to LabelSimple) 

open import showLabelP hiding( labelBoolFunToString;labelLabelFunToString) 

renaming(showLabel to showLabelSimple ; 

LabelList to LabelListSimple ) 

open import la bel Eq hiding (-==1_ ) 

renaming (_==l_ to _==lsimpl_ ; 

refl==l to refl==lsimple ) 


mutual 

record LUniv : Seti where 
field 

Labelf : Set 

_==lf_ : Labelf — * Labelf — » Bool 
refl==lf : {/: Labelf} — > T’ (l ==lf l) 
showLabelf : Labelf — > String 
La belListf : List Labelf 


Label : LUniv -> Set 
Label = LU niv. Labelf 

_==l_ : {lu : LUniv} — > Label lu —» Label lu —> Bool 
_==!_ {lu} = LUniv._==lf_ lu 


refl==l : {lu : LUniv} {/ : Label lu} —> T’ (l ==l l) 
refl==l {lu} = LUniv.refl==lf lu 


o 


-o 
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_==l : {lu : LUniv} — >■ Label lu —> Label lu —>• Set 

_==l_ {lu} ll’=r (_==l_ {lu} l l’) 

showLabel : {lu : LUniv} — >■ Label lu —> String 
showLabel {lu} = LUniv.showLabelf lu 


LabelList : (lu : LUniv) — List (Label lu) 
La bel List = LUniv. La bel Listf 


labelBoolFunToString : {lu : LUniv} — >■ (Label lu —>■ Bool) — >■ String 
labelBoolFunToString {lu} f = unlines (map (showLabel {lu}) (filter / ( La bel List lu))) 

labelLabelFunToString : {lu : LUniv} —>• (Label lu —>• Label lu) —» String 
labelLabelFunToString {lu} / = " [[" 

++s unlinesWithChosenString ", " (map (X l —> showLabel {lu} (f l) 
++s " <- " ++s showLabel {lu} l) ( La bel List lu)) 

++s "]]" 


open LUniv 


Isimple : LUniv 
Labelf Isimple = LabelSimple 
_==lf_ Isimple = _==lsimpl_ 
refl==lf Isimple {/} = refl==lsimple {/} 
showLabelf Isimple = showLabelSimple 
La bel Listf Isimple = LabelListSimple 


A.53 labelUnivAsUniverse.agda 


module labelUnivAsUniverse where 
open import Data.Bool 

open import Data.Bool.Base renaming (T to T’) 
open import Data.String renaming (_++_ to _++s_) 
open import Data.String.Base 
open import Data.List.Base 


a 


-o 
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open import Data.List 

open import label renaming (Label to LabelSimple) 

open import showLabelP hiding( labelBoolFunToString ; labelLabelFunToString) 

renaming(showLabel to showLabelSimple ; 

LabelList to LabelListSimple ) 

open import la bel Eq hiding (-==1_ ) 

renaming (_==l_ to _==lsimpl_ ; 

refl==l to refl==lsimple ) 


mutual 

data LUniv : Set where 
Isimple : LUniv 


Label : LUniv -> Set 
Label Isimple = LabelSimple 

_==l_ : {lu : LUniv} — > Label lu —» Label lu —> Bool 
_==L {Isimple} = _==lsimpl_ 


refl==l : {lu : LUniv} {/ : Label lu} —> T' (/ ==l l ) 
refl==l {Isimple} {/} = refl==lsimple {/} 


_==l : {lu : LUniv} —> Label lu —> Label lu —> Set 

l ==L V = T' (/==l l’) 

showLabel : {lu : LUniv} — >■ Label lu —>■ String 
showLabel {Isimple} = showLabelSimple 


LabelList : (lu : LUniv) —>• List (Label lu) 
LabelList Isimple = LabelListSimple 


labelBoolFunToString : {lu : LUniv} —>• (Label lu —> Bool) —>• String 
labelBoolFunToString {lu} /= unlines (map (showLabel {lu}) (filter / (LabelList lu))) 


o 


-o 
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labelLabelFunToString : {lu : LUniv} — >• (Label lu —> Label lu) —> String 
labelLabelFunToString {lu} / = " [[" 

++s unlinesWithChosenString ", " (map (X l —>■ showLabel {lu} (f 1) 
++s " <- " ++s showLabel {lu} l) ( LabelList lu)) 

++s "]]" 


A.54 lemFmap.agda 


module lemFmap where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport auxData 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport labelUniv 
mport RefWithoutSize 
mport dataAuxFunction 
mport renamingResult 
mport TraceWithoutSize 
mport addTick 
mport Data.Fin 
mport internalChoice 


swaptfc) : {co c± : Choice} — >■ ChoiceSet (co W’ c\) —> ChoiceSet (ci l±)' Co) 
swapttl (inji x) = inj 2 x 
swapW (inj 2 y) = inji y 

Assttl : (c 0 ci c 2 : Choice} —>• ChoiceSet ((c 0 l±l’ ci) l±l’ c 2 ) —>• ChoiceSet (c 0 l±)’ (ci l±l' c 2 )) 
Assl±) (inji (inji x)) = inji x 
AssW (inji (inj 2 x)) = inj 2 (inji x) 

AssW (inj 2 x) = inj 2 (inj 2 x) 

Assttlr : {c 0 ci c 2 : Choice} — >• ChoiceSet (c 0 W’ ( ci l±l' c 2 )) —>■ ChoiceSet ((c 0 W’ ci) W’ c 2 ) 


CF 


O 
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AssWr (inji x ) = inji (inji x) 

AssWr (inj 2 (inji x)) = inji (inj 2 x ) 

AssWr (inj 2 (inj 2 x)) = inj 2 x 


swapx : {c 0 c\ : Choice} —>• ChoiceSet (c 0 x' ci) —s- ChoiceSet (ci x’ c 0 ) 
swapx (a; 0 „ xi) = (xi „ xo) 

Assx : {co ci c 2 : Choice} —*■ ChoiceSet (co x' (ci x’ c 2 )) —>■ ChoiceSet ((co x’ ci) 

Assx (x „ (xi „ X2)) = {{x„ xi) „ X2) 

Assx’ : {c 0 ci c 2 : Choice} —> ChoiceSet ((c 0 x’ ci) x’ c 2 ) —» ChoiceSet (co x' (ci x’ c 2 )) 
Assx’ ((x„ Xi) „ X2) = x „ (X! „ x 2 ) 


mutual 

Fmap+' : {lu : LUniv}{co ci c 2 C 3 : Choice} — >■ (/: ChoiceSet c 0 —>■ ChoiceSet ci) 

—>• (g : ChoiceSet ci —> ChoiceSet c 2 ) 

—>• (/i : ChoiceSet c 2 —)■ ChoiceSet C3) 

—>• (P : Process+ 00 {lu} c 0 ) 

—>• ( l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 3 )) 

—> (tr : Tr {lu} l m (node (fmap+ h (fmap+ g (fmap+ f P))))) 

—> Tr {lu} l m (node (fmap+ (h o g o f) P)) 

Fmap+’ {lu} {c 0 } {ci} {c 2 } {c 3 } / g h P l m (tnode tr) = tnode (Fmap+ {lu} {c 0 } {ci} {o 

Fmap+ : {lu : LUniv}{c 0 ci c 2 c 3 : Choice} —> (/: ChoiceSet c 0 —> ChoiceSet ci) 

—*■ (g : ChoiceSet ci —> ChoiceSet c 2 ) 

—*■ (h : ChoiceSet c 2 —¥ ChoiceSet C 3 ) 

— v ( P : Process+ 00 {lu} c 0 ) 

—> (fmap+ ((h o (g o f))) P) C+ (fmap+ h (fmap+ g (fmap+ f P))) 

Fmap+ f g h P .[] .nothing empty = empty 

Fmap+ f g h P .( Lab P x \ : l) m (extc l .rn x x\ ) = extc l m x (Fmapoo f g h (PE P x) l m x 
Fmap+ f g h P l m (intc .1 .m x x 1 ) = intc l m x (Fmapoo f g h ( PI P x) l m x 1 ) 

Fmap+ / g h P .[] .(just (h (g (/( PT P x))))) (terc x) = terc x 

Fmapoo : {lu : LUniv}{c 0 ci c 2 c 3 : Choice} —> (/: ChoiceSet c 0 —> ChoiceSet ci) 

—> (g : ChoiceSet ci —)• ChoiceSet c 2 ) 


o 


-o 
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—> (h : ChoiceSet C2 —> ChoiceSet C3) 

—> (P : Processoo 00 { lu } c 0 ) 

—(fmapoo ((h o (g o f ))) P) Coo (fmapoo h (fmapoo g (fmapoo f P))) 
Fmapoo fghPlmx = Fmap f g h (forcep P) l m x 


Fmap : {lu : LUniv}{c 0 C\ c 2 c 3 : Choice} —> (/: ChoiceSet c 0 — > ChoiceSet ci) 
—>■ (g : ChoiceSet c\ —\ ChoiceSet c 2 ) 

—>• (h : ChoiceSet c 2 —)• ChoiceSet c 3 ) 

—> (P : Process 00 {lu} cq) 

->■ ( fma P ((^ 0 (g 0 /))) A) C (fmap h (fmap g (fmap f P))) 
Fmap / g h (terminate x) l m x 1 = x\ 

Fmap f g h (node x) l m x 1 = Fmap+' f g h x l m x 1 


mutual 

lemFmap+ : {/it : LUniv}{c 0 c 3 c 2 : Choice} —» (/: ChoiceSet c 0 —> ChoiceSet ci) 

—)• ((7 : ChoiceSet c\ —> ChoiceSet c 2 ) 

—> (P : Process+ 00 {lu} c 0 ) 

—> (fmap+ (g o f) P) C+ (fmap+ g (fmap+ f P)) 
lemFmap+ f g P .[] .nothing empty = empty 

lemFmap+ {lu} f g P .(Lab {00} {lu} P x :: l) m (extc l .m x x 1) = extc l m x (lemFmapoo f g ( PE j 
lemFmap+ / g P l m (intc .1 .m x x 1) = intc l m x (lemFmapoo / g (PI P x) l m x'i) 
lemFmap+ f g P .[] .(just (g (/ (PT P x)))) (terc x) = terc x 

lemFmapoo : {lu : LUniv}{c 0 c\ c 2 : Choice} —> (/: ChoiceSet c 0 —> ChoiceSet ci) 

—)• (g : ChoiceSet c\ —> ChoiceSet c 2 ) 

—>■ (P : Processoo 00 {lu} c 0 ) 

—)• (fmapoo (g o f) P) Coo (fmapoo g (fmapoo f P)) 
lemFmapoo /g P l m x = lemFmap /g (forcep P) l m x 


lemFmap : {lu : LUniv}{c 0 C\ c 2 : Choice} — )■ (/: ChoiceSet c 0 — > ChoiceSet c 3 ) 
—> (g : ChoiceSet C\ —> ChoiceSet c 2 ) 

( P : Process 00 {lu} c 0 ) 

-> (fmap (go f) P)\Z (fmap g (fmap f P)) 
lemFmap / g (terminate x) l m x\ = x\ 

lemFmap /g (node P) l m (tnode x) = tnode (lemFmap+ f g P l m x) 


o- 


o 




570 


A.54. lemFmap.agda 
o-o 


mutual 

lemFmap+R : {lu : LUniv}{c 0 ci c 2 : Choice} — >• (/: ChoiceSet c 0 — > ChoiceSet ci) 

—>• (g : ChoiceSet c\ —> ChoiceSet c 2 ) 

—> (P : Process+ oo {lu} c 0 ) 

—» (fmap+ g (fmap+ f P)) T+ (fmap+ (g o f) P) 
lemFmap+R f g P .[] .nothing empty = empty 

lemFmap+R f 9 P -(Lab P x :: l) m (extc l .m x Xi) = extc l m x (lemFmapooR f g (PE P x) 
lemFmap+R f g P l m (intc .1 .m x x i) = intc l m x (lemFmapooR f g (PI P x) l m x\) 
lemFmap+R f g P .[] .(just (g (/ (PT P x)))) (terc x) = terc x 


lemFmapooR : {lu : LUniv}{c 0 <+ c 2 : Choice} — >■ (/: ChoiceSet c 0 — > ChoiceSet C\ ) 
—y (g : ChoiceSet c\ —)• ChoiceSet c 2 ) 

—> (F : Processoo oo {/w} c 0 ) 

—> (fmapoo g (fmapoo f P)) ^oo (fmapoo (g o f) P) 
lemFmapooR f g P l m x = lemFmapR / g (forcep P) l m x 


lemFmapR : {lu : LUniv}{c 0 c\ c 2 : Choice} — > (/: ChoiceSet c 0 —>■ ChoiceSet c\) 
—)■ (g : ChoiceSet c\ —> ChoiceSet c 2 ) 

—>■ (P : Process oo {lu} c 0 ) 

(fmap g (fmap / P)) C (fmap (g o f) P) 
lemFmapR /^ (terminate x) l m x\ = X\ 

lemFmapR / g (node P) l m (tnode x) = tnode (lemFmap+R f g P l m x) 


mutual 

addTimeFmapLemma+ 


addTimeFmapLemma+ 

addTimeFmapLemma+ 

addTimeFmapLemma+ 

addTimeFmapLemma+ 

addTimeFmapLemma+ 


{lu : LUniv}{co c\ c 2 : Choice} 

(/: ChoiceSet Co —> ChoiceSet ci) 

(g : ChoiceSet c\ —> ChoiceSet c 2 ) 

(P : Process+ oo {lu} c 0 ) 

(a : ChoiceSet ci) 

—)• addTimed/ + (g a) (fmap+ (g ° f) P) ^+ fmap+ g (addTimec 
{co} {ci} {c 2 } /g P a .[] .nothing empty = empty 

{co} {<+} {c 2 } f g P a .(Lab P x \\ t) m (extc l .m x q) = extc l m 

{c 0 } {ci} {c 2 } f g P a l m (intc .1 .m x q) = intc l m x (addTimeF 

{c 0 } {ci} {c 2 }fg P a .[] .(just (g a)) (terc (inji x)) = terc (inji x 

{co} {ci} {c 2 }fg P a .[] .(just (g (/(PT P y)))) (terc (inj 2 y)) = 


O 


o 
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addTimeFmapLemmaoo : {lu : LUniv}{c 0 c x c 2 : Choice} 

(/: ChoiceSet c 0 —>• ChoiceSet ci) 

(g : ChoiceSet c\ —> ChoiceSet c 2 ) 

(P : Processoo oo {lu} c 0 ) 

(a : ChoiceSet c x ) 

—)■ addTimed/oo ( g a) (fmapoo (g o f) P) Coo fmapoo g (addTimed/oo 
addTimeFmapLemmaoo {c 0 } {c x } {c 2 } fgPalmq = addTimeFmapLemma f g (forcep P) a l m < 


addTimeFmapLemma : {lu : LUniv} 

{c 0 Ci c 2 : Choice} 

(/: ChoiceSet c 0 —t ChoiceSet ci) 

(g : ChoiceSet ci —> ChoiceSet c 2 ) 

(P : Process oo {lu} c 0 ) 

(a : ChoiceSet ci) 

—>■ addTimed/ ( g a) (fmap (g o f) P) □ fmap g (addTimed/ a (fmap f P) 
addTimeFmapLemma f g (terminate x) a .[] .nothing (tnode empty) = tnode empty 
addTimeFmapLemma f g (terminate x ) a .(Lab ( 2 -/ + a (f x)) _ :: 4 ) m (tnode (extc 4 .m 0 tr)) 
addTimeFmapLemma f g (terminate x) a l m (tnode (intc .1 .m 0 tr)) 

addTimeFmapLemma f g (terminate x) a .[] .(just (g a)) (tnode (terc zero)) = tnode (terc zero) 
addTimeFmapLemma f g (terminate x) a .[] .(just ( g {f x))) (tnode (terc (sue zero))) = tnode (terc (s 
addTimeFmapLemma f g (terminate x) a .[] .(just (g (unifyAttlA (PT ( 2 -/ + a (f x)) (sue (sue _)))))) 
addTimeFmapLemma f g (node P) a l m (tnode tr) = tnode (addTimeFmapLemma+ f g P a l m tr) 


mutual 

addTimeFmapLemma+R : {lu : LUniv}{c 0 Ci c 2 : Choice} 

(/: ChoiceSet Co —> ChoiceSet ci) 

(g : ChoiceSet ci —> ChoiceSet c 2 ) 

(P : Process+ oo {lu} c 0 ) 

(a : ChoiceSet ci) 

—> fmap+ g (addTimed/ + a (fmap+ f P)) T+ addTimed/ + ( g a) (fm 
addTimeFmapLemma+R {c 0 } {ci} {c 2 } f g P a .[] .nothing empty = empty 

addTimeFmapLemma+R {c 0 } {ci} {c 2 } f g P a .(Lab P x :: l) m (extc l .m x q) = extc l m x (lemFr 

addTimeFmapLemma+R {c 0 } {ci} {c 2 } /g P a l m (intc .1 .m x q) = intc l m x (addTimeFmapLemi 

addTimeFmapLemma+R {c 0 } {ci} {c 2 } f g P a .[] .(just ( g a)) (terc (inji x)) = terc (inj x x) 

addTimeFmapLemma+R {c 0 } {c x } {c 2 } f g P a .[] .(just (g (/(PT P y)))) (terc (inj 2 y)) = terc (inj s 


a 


o 
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addTimeFmapLemmaooR : {lu : LUniv} 

{c 0 Ci c 2 : Choice} 

(/: ChoiceSet c 0 -> ChoiceSet ci) 

(g : ChoiceSet ci —)• ChoiceSet c 2 ) 

(P : Processoo oo {lu} c 0 ) 

(a : ChoiceSet ci) 

—>• fmapoo g (addTimed/oo a (fmapoo f P)) Coo addTimed/oo I 
addTimeFmapLemmaooR {c 0 } {ci} {c 2 } fgPalmq = addTimeFmapLemmaR f g (forcep . 


addTimeFmapLernmaR : {lu : LUniv}{c 0 ci c 2 : Choice} 

(/: ChoiceSet c 0 —» ChoiceSet ci) 

(g : ChoiceSet C\ —> ChoiceSet c 2 ) 

(P : Process oo {lu} c 0 ) 

(a : ChoiceSet ci) 

—y fmap g (addTimed/ a (fmap f P)) jZ addTimed/ (g a) (fmap 
addTimeFmapLemmaR f g (terminate x) a .[] .nothing (tnode empty) = tnode empty 

addTimeFmapLemmaR f g (terminate x) a .(Lab ( 2 -/ + ( g a) (g {f x))) _ :: m (tnode (ext 

addTimeFmapLemmaR f g (terminate x) a l m (tnode (intc .1 .m 0 tr)) 

addTimeFmapLemmaR f g (terminate x) a .[] .(just (g a)) (tnode (terc zero)) = tnode (terc z 

addTimeFmapLemmaR f g (terminate x) a .[] .(just (g {f x))) (tnode (terc (sue zero))) = tno< 

addTimeFmapLemmaR f g (terminate x) a .[] .(just (unifyAttlA (PT ( 2 -/ + (g a) (g {f x))) (si 
addTimeFmapLemmaR / g (node x) a l m (tnode tr) = tnode (addTimeFmapLemma+R f g x 


A.55 libBool.agda 


module libBool where 
open import Data.Bool 

open import Data.Bool.Base renaming (T to T') 
open import auxData 

AintroBool : (a b : Bool) — > T’ a —> T’ b — > T’ (a A b) 
AintroBool false _ () 

AintroBool true false _ () 

AintroBool true true _= _ 

AelimBooll : (a b : Bool) — > T' (a A b) —> T' a 


o 


-o 
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AelimBooll false b () 

AelimBooll true b ab = _ 

AelimBool2 : (a b : Bool) — * T' (a A b) —> T' b 
AelimBool2 false false () 

AelimBool2 true false () 

AelimBool2 a true ab = _ 

AintroBool3 : (a b c : Bool) —>■ T’ a —> T’ b — > T' c —>• T' (a A b A c) 

AintroBool3 false _() 

AintroBool3 true false_ () 

AintroBool3 true true false_ () 

AintroBool3 true true true_ = _ 

AelimBool3-l : (a b c : Bool) —> T' (a A b A c) —> T’ a 
AelimBool3-l false b c () 

AelimBool3-l true b c abc = 

AelimBool3-2 : (abc: Bool) —> T' (a A b A c) —> T’ b 
AelimBool3-2 false false c () 

AelimBool3-2 true false c () 

AelimBool3-2 a true c abc = _ 

AelimBool3-3 : (abc: Bool) — > T' (a A b A c) —> T' c 
AelimBool3-3 false false false () 

AelimBool3-3 true false false () 

AelimBool3-3 false true false () 

AelimBool3-3 true true false () 

AelimBool3-3 a b true abc = _ 


A.56 libEq.agda 


module libEq where 
open import Data.Bool 

open import Data.Bool.Base renaming (T to T’) 
open import auxData 
open import libBool 


a 


o 
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==Pair : {A B : Set}(_==A_ : A —* A —» Bool) ( _==B_ : B -A- B -a Bool) 

(ab ah ’: A x B) -A Bool 

==Pair _==A_ (a „ 6) (a\, &’) = (a ==A a’) A (6 ==B b’) 

ref I Pa ir : {A B : Set}(_==A_ : A —» A —> Bool) (_==5_ : B —y B —> Bool) 

(reflA : (a : A) —» T' (a ==A a)) 

(reflB : {b : B) ^ T’ (b ==B b)) 

(ab : A x B) 

—> T' (==Pair _==A_==5_ ab ab) 

refIPair _==A_ ==B_ reflA reflB (a ,, b) = AintroBool (a ==A a) (b ==B b) (reflA a) (re 

symPair : {A B : Set}(_==A_ : A —> A —>■ Bool) (_==B_ : B —)■ B —>• Bool) 

(symA \ (a a’ \ A) (aa’: T’ (a ==A a’)) —>■ T’ ( a ’ ==A a)) 

(symB : (b b’: B) (bb ’: T’ (6 ==5 &*)) ->■ T’ (6' ==B b)) 

(ab ab’: A x B) 

(abab’ : T' (==Pa ir _==A _ ==B ab ab’)) 

—y T’ (==Pair _==A _ ==B_ ab’ ab) 

symPair _==A _ ==B_ symA symB (a,, b) (a’ „ b’) abab’ = 

AintroBool (a’ ----- A a) (b’ ==B b) 

(symA a a’ (AelimBooll (a ==A a’) (b ==B b’) abab’)) 

(symB b b’ (AelimBool2 (a ==A a’) (b ==B b’) abab’)) 

transfPair : {A B : Set}(_==A_ : A —> A —> Bool) (_==B_ : B —>■ B —> Bool) 

(transfA : (a a’: A) (Q : A —)■ Set)(aa’ : T' (a ==A a’)) —>■ Q a —^ Q a’) 

(transfB : (b b’: B) (Q : B -> Set )(bb’: T’ (b ==B b’)) Q b Q b’) 

(ab ab’: A x B) 

(Q : Ax B^ Set) 

(abab’ : T' (==Pa ir _==A _ ==B_ ab ab’)) 

(q : Q ab) 

Q ab’ 

transfPair {A} { B } _==A _ ==B_ transfA transfB (a ,, b) (a’ „ b’) Q abab’ q 

= transfA a a’ 

(X a” -A 

(h b 2 : B) (bb’~. T (h ==B b 2 )) -A 
Q(a„ h) -A Q(a”„ b 2 )) 

(AelimBooll (a ==A a’) (b ==B b’) abab’) 

(\bb’^ transfB b b’ (X b” -a- Q (a „ b”)) ) b b’ 

(AelimBool2 (a ==A a’) (b ==B b’) abab’) q 


o 


-o 
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==Triple : {ABC: Set}(_==A_ : A A -> Bool) (==B : B B Bool) 

(_==C_ : C-* C^ Bool) 

(ab ab’: A x B x C) —>■ Bool 
==Triple _==A_ _==B_ _==C_ = 

==Pair _==A_ (==Pair _==B_ _==C_) 

refITripie : {ABC: Set}(_==A_ : A —y A —» Bool) ( _==B_ : B —>• B —>■ Bool) 
(_==C_ : C^r C^r Bool) 

(reflA : (a : A) —» T' (a ==A a)) 

(reflB : {b: B) —> T’ (b ==B b)) 

(reflC: (c : C) -+ V (c ==C c ) 

(abc : Ax Bx C) 

—> T’ (==Tripie _==A _ ==B _==C_ abc abc) 

ref ITri pie _==A_==B ==(7_ re/L4 re/IB re/Z(7 = 

refIPair _==A_ (==Pair _==B _ ==CJ) reflA (refIPair _==B _ ==C- reflB reflC) 


symTriple : {ABC: Set}(_==A_ : A —* A —> Bool) ( _==B_ : B —>• i? —» Bool) 

(-==C_ : C^ C-> Bool) 

(symA : (a a’: A) ( aa’: T’ (a ==A a’)) —> T’ (a’ ==A a)) 

(symB : (b b’: B) {bb’ : T’ (6 ==B b’)) -+ T’ ( 6 ’ ==B b)) 

(symC : (cc’: C) (cc’: T’ (c ==C c ’)) -+ T’ (c’ ==C c 
(abc abc’: A x B x C) 

(abcabc’: T' (==Triple _==A _ ==B _==C_ abc abc’)) 

—* T’ (==Triple _==A _ ==B _==C_ abc’ abc) 

symTriple _==A_ ==B _ ==C symA symB symC = 

symPair _==A_ (==Pair _==B _ ==C ) symA (symPair _==B _ ==C symB symC) 


transfTriple : {ABC: Set}(_==A_ : A —> A —>• Bool) ( _==B_ : B —>• B —>■ Bool) 
(_==C_ : C —> (7 —>■ Bool) 

(transfA : (a a’: A) (Q : A —> Set)(aa’ : T' (a ==A a’)) Q a Q a’) 

(transfB : (b b’: B) (Q : B Set )(&&’: T’ (6 ==5 b’)) ^ Q b ^ Q b’) 

(transfC : (c c’: C) (Q : C —>■ Set)(cc’ : T’ (c ==C c ; )) —)■ Q c ^ Q c’) 

(abc abc’: A x B x C) 

(Q: A x B x C-> Set) 

( abcabc’: T' (==Triple _==A_ ==B _ ==C a&c abc’)) 

(q : Q abc) 

—> Q abc’ 

transfTriple _==A _ ==B _==C_ transfA transfB transfC = 

transfPair _==A_ (==Pair _ -B _ ==C-) transfA 


o- 


o 
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(transfPair ==B _ ==C transfB transfC) 

A.57 libList.agda 


module libList where 
open import Data.List 

open import Data.List.Base renaming (map to mapL) 

LUnion : {A B : Set} (IA : List A) (/: A —¥ List B ) —> List B 
LUnion {A} { B } IA f = concat (mapL f IA ) 


A.58 maybe.agda 


module maybe where 

data Maybe (A : Set) : Set where 
nothing : Maybe A 
just : A —» Maybe A 


A.59 monadicbind.agda 


--@PREFIX@monadic 
module monadicbind where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.Sum 

mport Data.String renaming (_++_ to _++s_) 

mport Data.List.Base renaming (map to mapL) 

mport choiceSetU 

mport process 

mport showFunction 

mport dataAuxFunction 


o 


-o 
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open import labelUniv 
--@BEGIN@monadicBindDef 


_ 3 >=Str_ : {c 0 : Choice} —»• String 

—> (ChoiceSet Co —> String) —> String 
s ^>=Str / = s — |—|—s "3>" — |—|—s choice2Str2Str / 

mutual 

_ 3 >=oo_ : {z : Size} -» {lu : LUniv} — y {c 0 c\ : Choice} 
—> Processoo i {lu} Co 
—> (ChoiceSet Co —> Processoo i {lu} c\) 

—> Processoo i {lu} c\ 

forcep (P ^>=00 Q ) = forcep P 3 >= Q 

Stroo (P 3>=oo Q ) = Stroo P 3 >=Str (Stroo o (?) 

_ 3 >=_ : {i : Size} —» {lu : LUniv} —>• {co c\ : Choice} 

—>■ Process i c 0 

—>• (ChoiceSet c 0 —>■ Processoo (} z) {lu} Ci) 
—>• Process 1 c\ 

node P '^>= Q = node (P 3 >=+ (?) 

terminate a; ^>= Q = forcep ((? a} 


_ 3 >=+_ : {z : Size} — » {/zz : LUniv} — )■ {c 0 C\ : Choice} 
—>• Process-h 1 c 0 

—> (ChoiceSet Co —> Processoo i {lu} c\) 

—>■ Process+ i c\ 


E (P »=+ Q) 

Lab (P >=+ (?) 

PE (P»=+ Q) c 

I (P >=+ Q) 

PI (P »=+ (?) (inji c) 

PI (P >=+ (?) (inj 2 c) 

T (P»=+Q) =0’ 

PT (P»=+ (?) () 

Str+ (P 3>=+ (?) = Str+ P 3>=Str (Stroo o (?) 


E P 
Lab P 

PE P c 3>=oo (? 
iPtfTP 
PI P c 3>=oo (? 

<5 (PT P c) 


--(SEND 


_^>=+p_ : {z : Size} —> {lu : LUniv} —* {c 0 ci : Choice} —>• Process- 1 - z c 0 
—>• ( ChoiceSet cq —>• Processoo z {lu} c\) 


o- 


<3 




578 


A.60. monadicbinclFixing2ndMonadLaw.agda 

o-o 


—>■ Process i c\ 

P >=+p Q = node (P >=+ Q) 


A. 60 monadicbindFixing2ndMonadLaw.agda 


--@PREFIX@monadicFixingSecondMonadLaw 
module monadicbindFixing2ndMonadLaw where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.Sum 

mport Data.String renaming (_++_ to _++s_) 

mport Data.List.Base renaming (map to mapL) 

mport choiceSetU 

mport process 

mport showFunction 

mport dataAuxFunction 

mport labelUniv 

mport Data.Bool renaming (T to True) 
mport auxData 


--@BEGIN@isTerminate 


isTerminate : {i : Size}{/ii : LUniv} {c : Choice}(P : Process i {lu } c) 
—> Bool 

isTerminate (terminate x) = true 

isTerminate (node x ) = false 

isNode : {i : Size}{/?/ : LUniv} {c : Choice}(P : Process i {lu} c ) 

—> Bool 

isNode = -ib o isTerminate 


--@END 


--@BEGIN@processIsTerminateToResult 

processIsTerminateToResult : {i : Size}{/ii : LUniv} {c : Choice} 

(P : Process i {lu} c ) 


o 


-o 
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(isTer : True (isTerminate P )) 
—v ChoiceSet c 

processIsTerminateToResult (terminate x) isTer = x 
processIsTerminateToResult (node x) () 


--0END 


processNotTerminate2Process+ : {i : Size}{^ : LUniv} {c : Choice} 

(P : Process i {lu } c) 

(notTer : True (isNode P)) 

—> Process+ * {lu} c 

processNotTerminate2Process+ (terminate x) () 
processNotTerminate2Process+ (node P) notTer = P 

--@BEGIN@monadicBindDef 

_3>=Str_ : {c 0 : Choice} — > String 

—> (ChoiceSet c 0 —)■ String) —>■ String 
s 3>=Str / = s ++s "S>" ++s choice2Str2Str / 

mutual 

_3>=oo_ : {i : Size} — {lu : LUniv} — > {c 0 C\ : Choice} 

—y Processoo i {lu} cq 
—> (ChoiceSet Co —> Process i {lu} c\) 

—> Processoo i {lu} C\ 

forcep (P ^$>=00 Q ) = forcep P 3>= Q 

Stroo (P 3>=oo Q) = Stroo P 3>=Str (Str o Q ) 

>>= : {i : Size} — >■ {lu : LUniv} — >■ {co c\ : Choice} 

—> Process i Co 

—> (ChoiceSet c 0 —> Process i {lu} ci) 

—> Process i ci 

node P 3>= Q = node (P ^>=+ Q) 

terminate x ^>= Q = Q x 

_3>=+_ : {i : Size} —» {lu : LUniv} —> {c 0 C\ : Choice} 

—>• Process+ i c 0 

—>■ (ChoiceSet cq —> Process i {lu} c\) 


a 


-o 
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—>■ Process+ i c\ 


E (P^>=+Q) 
Lab (P>=+ Q ) 
PE (P>=+ Q) c 
I (P^>=+Q) 


E P 
Lab P 

PE Pc 3>=oo Q 
I P l±l' subset’ (T P) 

(isNode o [Q o (PT P))) 


PI (P»=+ Q) (inji c) = PI P c »=oo Q 
forcep (PI (P 3>=+ <5) (inj 2 (sub a x ))) = <5 (PT P a) 

Stroo (PI (P 3>=+ Q) (inj 2 (sub a x ))) = Str (Q (PT P a)) 

T (P >=+ Q) = subset’ (T P) 

(isTerminate o (Q o (PT P))) 

PT (P>=+ Q) (sub a x) = processIsTerminateToResult (Q (PT P a)) 
Str+ (P >=+ Q) = Str+ P >=Str (Str o Q) 


x 


--0END 


_3>=+p_ : {i : Size} — > {lu : LUniv} — > {c 0 ci : Choice} — y Process+ i Co 
—> ( ChoiceSet c 0 —>■ Process i {lu} C\) 

Process i c\ 

P »=+p Q = node (P »=+ Q) 


A.61 NativelO.agda 


module NativelO where 

open import UnitModule 

open import Data.String.Base using (String) 

postulate 

NativelO : Set — v Set 

nativeReturn : {A : Set} — > A —>• NativelO A 

_native»=_ : {A B : Set} — > NativelO A —>■ (A -> NativelO B) —> NativelO B 

-- {-# FOREIGN GHC import qualified IO.FFI #-> 

{-# BUILTIN 10 NativelO #-} 

COMPILED_TYPE NativelO 10 #-> -- 10.FFI.AgdalO 
{-# COMPILE GHC NativelO = type 10 #-} 

-- MAlonzo.Code.Agda.Builtin.10.AgdalO 


o 


-o 
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{-# COMPILE GHC _native»=_ = \_ _ -> (»=) :: 10 a -> (a -> 10 b) -> 10 b #-} 
{-# COMPILE GHC nativeReturn = \_ -> return :: a -> 10 a #-} 

postulate 

nativeGetLine : NativelO String 
nativePutStrLn : String —* NativelO Unit 

{-# COMPILE GHC nativePutStrLn = \ s -> putStrLn (Data.Text.unpack s) ft-} 

{-ft COMPILE GHC nativeGetLine = fmap Data.Text.pack getLine ft-} 


A.62 parallelSimple.agda 


--OPREFIXOparallel 


module parallelSimple where 


-- version 


open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 


of parallel which is as in standard CSP 


Data.Bool renaming (T to True) 

Data.Sum 

Data.String renaming (_++_ to _++s_) 

Size 

process 

labelUniv 

auxData 

dataAuxFunction 

choiceSetU 

renamingResult 

restrict 


_\- : {X : Set} -> (A 5 : X Bool) ->■ X ->• Bool 
(A \ B) c = A c A (->b (B c )) 

-- \ is input as \setminus 


a 


o 
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- -@BEGIN(SparallelStrDef 

_[_]||Str[_]_ : {lu : LUniv} — * String -> (A B : Label lu —* Bool) 

—¥ String — > String 

s [ A ] 11 Str[ B] t = s —|—(—s " [" — |—|—s labelBoolFunToString A ++s 

"] I I [" ++s labelBoolFunToString A ++s 
"]" ++s t 

--mm 

--(SBEGIN(SparallelinfDef 

mutual 

_[_] | |oo[_]_ : {i : Siz e}{lu : LUniv} — >■ {c 0 C\ : Choice} 

—>• Processoo i {lu} Co 
—> {A B : Label lu —> Bool) 

Processoo i {lu} c\ 

—)■ Processoo i {lu} (c 0 x’ ci) 

forcep ( P [ A ]||oo[ B] Q ) = forcep P [ A ]||[ B ] forcep Q 
Stroo ( P [ A ]||oo[ B ] Q ) = Stroo P [ A ]||Str[ B ] Stroo Q 


--(SEND 


--@BEGIN@parallelDef 

_[_]||[_]_ : {i : Siz e}{lu : LUniv} —y {c 0 c± : Choice} 

—> Process i {lu} c 0 
—>• {A B : Label lu —> Bool) 

—>• Process i {lu} c\ 

—>■ Process i {lu} (c 0 x’ c\) 

node P [ A ]||[ B ] node Q = node (P [ A ]|| + [ B ] Q ) 

terminate a [ A ]||[ B ] Q = fmap (X b —)• (a ,, b)) (Q \ (B \ A)) 

P [ A ]||[ B ] terminate b = fmap (X a —> (a „ b)) (P \ (A \ B )) 


--(SEND 


[ ]||oo+[ ] : {i : Size}}/?/ : LUniv} — > {c 0 c\ : Choice} 

—> Processoo % {lu} cq 
—)■ (A B \ Label lu —> Bool) 

—> Process- 1 - i {lu} c\ 


a 


-o 
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—>• Processoo * (c 0 x’ ci) 

forcep (P [ A ]||oo+[ B ] Q) = node (forcep P [ A ]||p+[ B ] Q) 

Stroo (P [ A ]||oo+[ B ] Q) = Stroo P [ A ]||Str[ B ] Str+ Q 


[ ]||+oo[ ] : {lu : LUniv}{z : Size} —y {c 0 c\ : Choice} 

—>■ Process+ i {lu} c 0 
(A B : Label lu —> Bool) 

—> Processoo i {lu} c\ 

—)■ Processoo i {lu} (c 0 x' c\) 

forcep (P [ A ]||+oo[ B ] Q) = node (P [ A ]||+p[ B ] forcep Q) 

Stroo (P [ A ] | |+oo[ B ] Q) = Str+ P [ A ] \ |Str[ B ] Stroo Q 


_[_]||p+[_]_ : {lu : LUniv}{z : Size} —» {c 0 c\ : Choice} 

— y Process i {lu} Co 

(A B : Label lu —> Bool) 

—> Process+ i {lu} c\ 

—y Process+ i {lu} (c 0 x’ C\) 

(terminate a) [ A ]||p+[ B ] Q = fmap+ (X b —> {a „ b))(Q (+ (B \ A) ) 

(node P) [ A ]||p+[ B ] Q = P[A ]|| + [ B ] Q 


_[_]11-l-p[—]_ : {i : Size} {lu : LUniv}—>■ {c 0 Ci : Choice} 

—>- Process+ i {lu} Co 

(A B : Label lu —> Bool) 

—> Process i {lu} C\ 

—v Process+ i {lu} (c 0 x’ ci) 

P [ A ]||+p[ B ] terminate b = fmap+ (X a —> (a „ b))(P \+ (A \ B )) 
P [ A ]||+p[ B ] node Q = P[A]\\ + [B]Q 


- -@BEGIN@parallelplusDef 

_[_]11 + [_]_ : {lu : LUniv} {i : Size} —y {c 0 c\ : Choice} 

—> Process+ i {lu} Co 
—)■ {A B \ Label lu —> Bool) 

—> Process+ i {lu} C\ 

—>■ Process+ i {lu} (c 0 x’ Ci) 

E (P [ A ]|| + [ B] Q) = subset’ (E P) ((A \ B) o (Lab P)) l±l’ 


a 


Cl 
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subset’ (E Q ) ((B \ A) o (Lab Q )) l±l' 
subset’ (E P x ’ E Q) 

(X {(e! „ e 2 ) 




-)• 

Lab 

Ae, = 

-=\ Lab Q e 2 A 

A (Lab P 

ei) A B (Lab Q e 2 )}) 

Lab 

(P[ 

A ] 

l + [ 

B ] 

Q) 

(inji 

(inji (sub 

CP ))) 

= Lab P c 

Lab 

(^[ 

A ] 

l + [ 

B } 

Q) 

(inji 

(inj 2 (sub 

CP ))) 

= Lab Q c 

Lab 

(^[ 

A ] 

l + [ 

B] 

Q) 

(injo 

(sub (c 0 „ 

Cl) p)) = 

Lab P cq 

PE 

(^[ 

A ] 

l + [ 

B } 

Q) 

(inji 

(injx (sub 

cp))) 

= PE P c[ A ] oo+[ B ] Q 

PE 

(^[ 

A ] 

l + [ 

B ] 

Q) 

(inji 

( inj 2 (sub 

cp))) 

= P[A]\\+oo[B] PE Qc 

PE 

(P[ 

A ] 

l + [ 

B] 

Q) 

(inj 2 

(sub (c 0 „ 

Cl) p)) = 

PE P c 0 [ A]||oo[ B] PE Q Cl 

1 

(P[ 

A ] 

l + [ 

B] 

Q) 




= 1 Pi±l' 1 Q 

PI 

(P[ 

A ] 

l + [ 

B] 

Q) 

(inji 

c) 


= PI P c[ A ] oo+[ B ] Q 

PI 

(P[ 

A ] 

l + [ 

B] 

Q) 

(inj 2 

c) 


= P[A]\\+oo[B] PI Qc 

T 

(P[ 

A ] 

l + [ 

B] 

Q) 




= JPx’TQ 

PT 

(P[ 

A ] 

l + [ 

B ] 

Q) 

(c 0 „ 

c l) 


= (PT P c 0 „ PT Q ci) 

Str+ 

(P[ 

A ] 

l + [ 

B ] 

Q) 




= Str+ P [ A ] | Str[ B ] Str+ Q 


--(SEND 


mutual 

_[_]!| w Namoo[_]_Using_,_,_ : {i : Size} — >• {c 0 c\ : Choice} {lu : LUniv} 

—> Processoo i {lu} c 0 
—> {A B : Label lu — Y Bool) 

—> Processoo i {lu} c\ 

—>• (///Jname : String —> String —y String) 

—>■ (fmapLeftName : ChoiceSet Co —*■ String —> String) 

—> {fmapRightName : ChoiceSet ci —>■ String —>• String) 

—)• Processoo i {lu} (c 0 x' Ci) 

forcep ( P [ A ]||wl\lamoo[ B ] Q Using ////name , fmapLeftName , fmapRightN ame ) 

= forcep P [ A ]|jwl\lam[ B ] forcep Q Using ////name , fmapLeftName , fmap 

Stroo ( P [ A ]||wl\lamoo[ B ] Q Using ////name , fmapLeftName , fmapRightN ame ) 

= ////name (Stroo P) (Stroo Q ) 

_[_]j|wNam[_]_Using_,_,_ : {i : Size} — > {c 0 c\ : Choice} {lu : LUniv} 

—>• Process i {lu} Co 
—y {A B : Label lu —>■ Bool) 

—)• Process i {lu} c\ 

—>■ (////name : String —^ String —>■ String) 

—>• (fmapLeftName : ChoiceSet c 0 -4- String —* String) 

—> {fmapRightName : ChoiceSet c\ —>• String —)• String) 


a 


-o 
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A. Agda Code 

o-o 


—> Process i {lu} (c 0 x’ ci) 

node P [ A ]||wNam[ B ] node Q Using ////name , fmapLeftName , fmapRightName 
= node (P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) 
terminate a [ A ]||wNam[ B ] Q Using ////name , fmapLeftName , fmapRightName 
= fmapWithName (fmapLeftName a) (X b^(a„b))(Q\(B\A)) 

P [ A ]||wNam[ B ] terminate b Using ////name , fmapLeftName , fmapRightName 
= fmapWithName (fmapRightName b) (X a —>• (a ,, b))(P \ (A \ B)) 


_[_]|jwNamoo+[_]_Using_,_,_ : {i : Size} — > {c 0 c\ : Choice} {lu : LUniv} 

—y Processoo i {lu } Co 
—> (A B : Label lu —>• Bool) 

—> Process+ i {lu} c\ 

—y (////name : String —>■ String —> String) 

—y (fmapLeftName : ChoiceSet cq —y String —> String) 

— y ( fmapRightName : ChoiceSet c\ —> String — y String) 

—> Processoo i {lu} (co x’ c\) 

forcep (P [ A ]||wNamoo+[ B] Q Using ////name , fmapLeftName , fmapRightName) 

= node (forcep P [ A ]||wNamp+[ B ] Q Using ////name , fmapLeftName , fmapRightName) 
Stroo (P [ A ]||wNamoo+[ B ] Q Using ////name , fmapLeftName , fmapRightName) 

= ////name (Stroo P) (Str+ Q) 


_[_]||wNam+oo[_]_Using_,_,_ : {* : Size} — > {c 0 C\ : Choice} {lu : LUniv} 

—> Process+ i {lu} c 0 
—>■ (A B : Label lu —>■ Bool) 

—> Processoo i {lu} c\ 

—> (ll/Jname : String —> String —y String) 

—>- (fmapLeftName : ChoiceSet c 0 —> String —> String) 

—)• (fmapRightName : ChoiceSet c\ —> String —y String) 

—>■ Processoo i {lu} (c 0 x' c\) 

forcep (P [ A ]||wNam+oo[ B ] Q Using ////name , fmapLeftName , fmapRightName) 

= node (P [ A ]||wNam+p[ B ] forcep Q Using ////name , fmapLeftName , fmapRightName) 
Stroo (P [ A ]||wNam+oo[ B ] Q Using ////name , fmapLeftName , fmapRightName) 

= ////name (Str+ P) (Stroo Q) 


_[_]||wNamp+[_]_Using_,_,_ : {i : Size} —> {co ci : Choice} {lu : LUniv} 
—>■ Process i {lu} c 0 

(A B : Label lu —> Bool) 

—> Process+ i {lu} c\ 


a 


o 
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A.62. parallelSimple.agda 

o-o 


—> (////name : String —> String —> String) 

—> (fmapLeftName : ChoiceSet c 0 —>■ String —)■ String) 

—> (fmapRightName : ChoiceSet C\ —> String —» String) 

—> Process+ i { lu } (c 0 x' ci) 

(terminate a) [ A ]||wNamp+[ B] Q Using ////name , fmapLeftName , fmapRightName 
= fmapWithName+ ( fmapLeftName a) (X b —> (a ,, b))(Q (+ (B \ A) ) 

(node P ) [ A ]||wNamp+[ B] Q Using ////name , fmapLeftName , fmapRightName 
= P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName 


_[_]||wNam+p[_]_Using_,_,_ : {i : Size} — >■ {c 0 ci : Choice} {/n : LUniv} 

—>• Process+ i {lu} c 0 

(A B : Label lu —> Bool) 

—> Process i {lu} c\ 

—> (////name : String —y String —>• String) 

—y (fmapLeftName : ChoiceSet c$ —» String —>■ String) 

—> ( fmapRightName : ChoiceSet ci —>■ String —>■ String) 

—>■ Process+ i {lu} (c 0 x’ ci) 

P [ A ]||wNam+p[ B ] terminate b Using ////name , fmapLeftName , fmapRightName 
= fmapWithl\lame+ ( fmapRightName b) (X a ^(a„b))(P\+(A\B)) 

P [ A ]||wl\lam+p[ B ] node Q Using ////name , fmapLeftName , fmapRightName 
= P [ A ]|jwNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName 


_[_]||wNam+[_]_Using_,_,_ : {i : Size} —y {c 0 c\ : Choice} {lu : LUniv} 

—> Process+ i {lu} c 0 
—> (A B : Label lu —> Bool) 

—> Process+ i {lu} c 1 
—> (l//Jname : String —»• String —>■ String) 

—> (fmapLeftName : ChoiceSet Co —*■ String —*■ String) 

—> (fmapRightName : ChoiceSet c\ —)■ String —> String) 

— y Process+ i {lu} (c 0 x’ cf) 

E (P [ A ]|jwNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) 

= subset’ (E P) ((-ib o A) o (Lab P)) l±)’ 

subset’ (E Q) ((-ib o B) o (Lab Q )) tt)’ 
subset’ (E P x’ E Q)(\ {(ei „ e 2 ) 

— > Lab P e\ ==l Lab Q e 2 A A (Lab P ei) A B (Lab Q e 2 )} 
Lab (P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName ) (inp (injx 
= Lab Pc 

Lab (P [ A ]|jwNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (inji (inj 2 


a 


-o 
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A. Agda Code 

o-o 


= Lab Q c 

Lab (P [ A ]|jwNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName ) (inj 2 (sub (c 0 ,, C\) 
= Lab P c 0 

PE (P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (inji (injx (sub c p 
= PE P c [ A ]|jwNamoo+[ B ] Q Using ////name , fmapLeftName , fmapRightName 
PE (P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (inji (inj 2 (sub c p 
= P [ A ]j|wNam+oo[ B ] PE Q c Using ////name , fmapLeftName , fmapRightName 
PE (P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (inj 2 (sub (c 0 ,, c\) 
= PE P Co [ A ]||wNamoo[ B ] PE Q ci Using ////name , fmapLeftName , fmapRightName 
I (P [ A ]||wNam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) 

= I P i±i’ I Q 

PI (P [ A ]|jwl\lam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (inji c) 

= PI P c [ A ]|jwl\lamoo+[ B ] Q Using ////name , fmapLeftName , fmapRightName 

PI (P [ A ]||wl\lam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (inj 2 c) 

= P [ A ]||wl\lam+oo[ B ] PI Q c Using ////name , fmapLeftName , fmapRightName 

T (P[ A ]||wl\lam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) 

= T P x’ T Q 

PT (P [ A ]|jwl\lam+[ B ] Q Using ////name , fmapLeftName , fmapRightName) (c 0 ,, Ci) 

= PT P c 0 „ PT Q ci 

Str+ (P [ A ]||wNam+[ B ] Q Using //// name , fmapLeftName , fmapRightName) 

= ////name (Str+ P) (Str+ Q) 


A.63 prefix.agda 


--OPREFIXOprefix 
module prefix where 
open import Size 

open import Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

open import process 

open import choiceSetU 

open import showFunction 

open import dataAuxFunction 

open import labelUniv 

-- open import NativelO 


a 


o 
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A.63. prefix.agda 

o-o 


--@BEGIN@preDef 

_—)-Str_ : {lu : LUniv} —> Label lu — > String —> String 
l —s-Str s = " (" — i—|—s showLabel l ++s " —> " ++s s ++s ")" 


->+_ : {* : Size} — > {c : Choice} —>■ {lu : LUniv} —> Label lu 
—> Processoo i c -> Process+ i c 


E 

(l- 

—>+ 

P ) = 

T’ 

Lab 

(*- 

— >+ 

P) c = 

= l 

PE 

(*“ 

— >+ 

P) c = 

= P 

1 

(*- 

->•+ 

P ) = 

0’ 

PI 

{l- 

->•+ 

P)0 


T 

(l- 

-H- 

p ) = 

0’ 

PT 

(l- 

-H- 

p)() 


Str-P (l 

— >- 

PF) = 

l - 


Str Stroo P 


: {i: Size} — > {c : Choice} — >■ {lu : LUniv} — > Label lu 
—> Processoo i c -> Process i c 
> P = node (l —>+ P ) 


--(SEND 


_—>+'_ : {i : Size} —» {c : Choice} —> {lu : LUniv} —> Label lu —> Processoo i c —> Process- 
l — >+’ P = process-P T’ (X _ —y l) (A _ —> P ) 0’ efq 0’ efq 

(l — »Str Stroo P ) 

_—»++_ : {i : Size} —> {c : Choice} —>• {lu : LUniv} —» Label lu —> Process-P i c Process 
l —>++ P = l —»+ (delay (node P) ) 

_—)-p+_ : {i : Size} —>■ {c : Choice} —>■ {lu : LUniv} —> Label lu —> Process i c -> Process-P 
l —>p+ P = l —>+ (delay P ) 


l 


PP 

PP 


_ : {i : Size} —> {c : Choice} —y {lu : LUniv} —> Label lu —>■ Process i c Process 
P = node (l — »+ (delay P )) 


(t 


_ — )-poo_ : {i : Size} — > {c : Choice} — > {lu : LUniv} —y Label lu —p Process i c -> Processoc 
forcep (l —s-poo P) = l —)-pp P 
Stroo (l —)-poo P) = l —>Str Str P 


o 


-o 
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A. Agda Code 

o-o 


_—^oooo_ : {i : Size} —> {c : Choice} —>■ {lu : LUniv} —$■ Label lu —» Processoo i {lu } c —> Processoc 

forcep (l — )-oooo P) = l — >• P 

Stroo (l — )-oooo P) = l — s-Str Strcxa P 


A.64 preFix.agda 


module preFix where 
open import Size 

open import Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

open import process 

open import choiceSetU 

open import showFunction 

open import dataAuxFunction 

open import labelUniv 

-- open import NativelO 

_—)-Str_ : {lu : LUniv} —> Label lu —> String —> String 
l —j-Str s = -- "(" ++s showLabel 1 ++s " —> " ++s s ++s ")" 

" (" ++s showLabel l ++s " -> " ++s s ++s ")" 

_—>+_ : {i : Size} —)■ {c : Choice} —>■ {lu : LUniv} —>■ Label lu —> Processcxa *c-> Process+ i c 
l — P = process+ T’ (X _ —y 1) (X _ —>• P) 0’ efq 0’ efq 

(l — >Str Stroo P ) 


l 


_ : {i : Size} —>• {c : Choice} — y {lu : LUniv} —* Label lu —> Processoo i c -> Process i c 
P = node (l —>+ P ) 


{- Nicer looking version, use in library instead of _—»+_ but not in paper -} 

_—>+’_ : {i : Size} —» {c : Choice} —¥ {lu : LUniv} —> Label lu —> Processoo i c -> Process+ i c 
E (/—>+' P) = T’ 

Lab (l — >+' P) c = l 
PE (l — >+’ P) c= P 
I (l — >+’ P) = 0’ 

PI (i— H-'P) () 

T ((—>+' P) =W 

o 


o 
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A.65. primitiveProcess.agda 
o-o 


PT (Z—H-'P)() 

Str+ (Z —>+’ P) = showLabel l -- 1 —)-Str Stroo P 

_—>++_ : {i : Size} —> {c : Choice} —> {lu : LUniv} —>■ Label lu —>• Process+ i c Process 
Z — >++ P = l — *+ (delay (node P) ) 

_ — ;-p+_ : {i : Size} —> {c : Choice} —> {Zw : LUniv} —> Label lu —> Process i c -> Process+ 
l —>-p+ P = l — >+ (delay P ) 


_—)-pp_ : {i : Size} — > {c : Choice} — > {lu : LUniv} — >■ Label lu —>■ Process * c —> Process (} 

l — )-pp P = node (l — >+ (delay P )) 

_—)-poo_ : {i : Size} —> {c : Choice} —>• {Zm : LUniv} —> Label lu —> Process i c -> Processoc 
forcep (l — )-poo P ) = l — )-pp P 
Stroo (Z — s-poo P) = Z — >Str Str P 


_—?-oooo_ : {i : Size} —>• {c : Choice} — > {lu : LUniv} —> Label lu —>• Processoo i {lu} c -» F 

forcep (Z —)-oooo P) = Z —» P 

Stroo (Z — s-oooo P) = l — s-Str Stroo P 


A.65 primitiveProcess.agda 


--@PREFIX@primitive 


module primitiveProcess where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 

mport Data.String renaming ( 

mport Data.List 

mport process 

mport auxData 

mport dataAuxFunction 

mport choiceSetU 

mport labelUniv 


=_ to _==strb_; _++_ to _++s_) 


--@BEGIN@StopDef 

STOP+ : {i : Size} — >• (c : Choice) {lu : LUniv} Process+ i {lu} c 
STOP+ c = process+ 0’ efq efq 0’ efq 0’ efq "STOP" 


o- 


-o 
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A. Agda Code 

o-o 


STOP : {i : Size} — > (c : Choice) — > {lu : LUniv} —$■ Process i {lu } c 
STOP c = node (STOP+ c) 

STOPoo : {i : Size} —» (c : Choice) — > {lu : LUniv} —>• Processoo i {lu} c 
forcep (STOPoo c) = STOP c 
Stroo (STOPoo c) = "STOPoo" 


--SEND 


MSKIP+ : ( i : Size) — > (c : Choice) — * ( t : Choice) — » {lu : LUniv} 

—> (/ : ChoiceSet t —)■ ChoiceSet c) ->• Process+ * {/n} c 
MSKIP+ i ct f= process+ 0' efq efq 0’ efq t f "MSKIP" 


MSKIP : (* : Size) —* (c : Choice) — > (t : Choice) — > {lu : LUniv} 

—>■ (/: ChoiceSet t —> ChoiceSet c) —> Process i {lu} c 
MSKIP i ctf= node (MSKIP+ i ctf ) 


MSkip : {i : Size} — > {c : Choice} — > (t : Choice) — > {lu : LUniv} 
—*■ (/: ChoiceSet t ChoiceSet c) —> Process i {lu} c 
MSkip {*} {c} = MSKIP i c 

- -@BEGIN@SkipDef 

SKIP+ : {i : Size} — > {c : Choice} —> (a : ChoiceSet c) 

—> {lu : LUniv} —* Process+ i {lu} c 
SKIP+ a = process+ 0’ efq efq 0' efq T' (X _ ^ a) 

("SKIPC" ++s choice2Str a ++s ") ") 

SKIP : {i : Size} — > {c : Choice} — > (a : ChoiceSet c) 

—>■ {lu : LUniv} —>■ Process i {lu} c 
SKIP a = node (SKIP+ a ) 

SKIPoo : {i : Size} —> {c : Choice} -> (a : ChoiceSet c) 

—> {lu : LUniv} —> Processoo i {lu} c 
forcep (SKIPoo a) = SKIP a 

Stroo (SKIPoo a) = ("SKIPooC ++s choice2Str a ++s ")") 


O 


o 
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A.66. process.agda 

o-o 


--(SEND 


TERMINATE : {i : Size} — > {c : Choice} — >■ ( a : ChoiceSet c) {lu : LUniv} — >■ Process i {h 
TERMINATE a = terminate a 

TERMINATEoo : {i : Size} —> {c : Choice} —> (a : ChoiceSet c) -)• {lu : LUniv} —> Processoc 
forcep (TERMINATEoo a) = TERMINATE a 

Stroo (TERMINATEoo a) = "terminate(" ++s choice2Str a ++s ")" 


SKIPL+ : {i : Size} — > {c : Choice} — > List (ChoiceSet c) {lu : LUniv} — > Process-|- i {lu} 
SKIPL+ {z} {c} l = process-!- 0' efq efq 0' efq (fin (length l )) (nth 1) "SKIPL ???" 

A.66 process.agda 


--@PREFIX@Process 

module process where 

open import choiceSetU 
open import labelUniv 
open import Size 

open import Data.String renaming (_++_ to _++s_) 


--@BEGIN@processinf 

mutual 

record Processoo (i : Size) {lu : LUniv}(c : Choice) : Set where 
coinductive 
field 

forcep : {j : Size< i} —>■ Process j {lu} c 
Stroo : String 
--(SEND 


--(SBEGIN(Sprocess 

data Process (i : Size) {lu : LUniv} (c : Choice) : Set where 


a 


-o 
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A. Agda Code 

o-o 


terminate : ChoiceSet c Process i {lu} c 
node : Process-P i {lu} c —>■ Process i {lu} c 


--(SEND 


--(SBEGIN(Sprocessplus 

record Process-)- (z : Size) {lu : LUniv} (c : Choice) : Set where 
constructor process-P 
coinductive 
field 

E : Choice 

Lab : ChoiceSet E — >• Label lu 

PE : ChoiceSet E — >• Processoo i {lu} c 

I : Choice 

PI : ChoiceSet I —> Processoo i {lu} c 

T : Choice 

PT : ChoiceSet T —> ChoiceSet c 
Str+ : String 

--(SEND 


open Processoo public 
open Process-P public 

Ep : {i : Size}{/ii : LUniv} {c : Choice} —>■ Process i {lu} c — > Choice 
Ep {*} {c} (terminate x) = 0’ 

Ep {z} {c} (node Q) = E Q 

Labp : {i : Size}{/« : LUniv}{c : Choice} —*■ (P : Process i {lu} c ) —)■ ChoiceSet (Ep P) —s- Label lu 
Labp {z} {c} (terminate x) () 

Labp {z} {c} (node Q) x = Lab Q x 


Eoo : {lu : LUniv}{c : Choice} —> Processoo oo {lu} c —y Choice 
Eoo {c} P = Ep (forcep P) 


Laboo : {lu : LUniv} {c : Choice} — >• (P : Processoo oo {lu} c) — > ChoiceSet (Eoo P) —> Label lu 
Laboo {c} P x = Labp (forcep P) x 


a 


o 
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A.67. process20ptimizedProcess.agda 
o-o 


Ip : {i : Size}{/?z : LUniv}{c : Choice} — >■ Process i {lu} c —> Choice 
Ip {z} {c} (terminate x) = 0’ 

Ip {z} {c} (node Q) = I Q 

Tp : {z : Size}{/zz : LUniv}{c : Choice} —> Process z {lu} c — > Choice 
Tp {*} {c} (terminate x ) = 0’ 

Tp {«} {c} (node Q) = T Q 


Str : {i : Size} — > {c : Choice} — > {lu : LUniv} — )■ Process i {lu} c —> String 
Str (terminate a) = "terminate ("++s choice2Str a ++s")" 

Str (node P) = Str+ P 


--@BEGIN@delayprocess 

delay : {i : Size} —>■ {lu : LUniv} — > {c : Choice} —> Process i {lu} c 
—> Processcxo (} i) {lu} c 
forcep (delay P) = P 
Stroo (delay P) = Str P 


--(SEND 


delayi : (z : Size) —>■ {lu : LUniv} —>■ {c : Choice} —>■ Process i {lu} c 

—> Processoo (} i) {lu} c 
forcep (delayi i P) = P 
Stroo (delayi i P) = Str P 


A. 67 process20ptimizedProcess.agda 


module process20ptimizedProcess where 


open import choiceSetU 

open import choiceSetUOptimized 

open import labelUniv 


o 


-o 
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A. Agda Code 

o-o 


open import Size 

open import Data.String renaming (_++_ to _++s_) 
open import process 


mutual 

optmizedProcessoo : (i : Size) {lu : LUniv}(c : Choice) ( p : Processoo i {lu } c) 

—> Processoo i {lu} c 

forcep (optmizedProcessoo i c p) {j} = optmizedProcess j c (forcep p {j}) 

Stroo (optmizedProcessoo i c p) = Stroo p 

optmizedProcess : (* : Size) {lu : LUniv}(c : Choice) (p : Process i {lu} c ) 

—>■ Process * {lu} c 

optmizedProcess i c (terminate x) = terminate x 
optmizedProcess i c (node x ) = node (optmizedProcess+ i c x) 

optmizedProcess+ : (* : Size) {lu : LUniv}(c : Choice) (p : Process+ i {lu} c) 

—» Process+ i {lu} c 

E (optmizedProcess+ i c p) = choice20ptimizedChoice (E p) 

Lab (optmizedProcess+ i c p) x = Lab p (choice20ptimizedChoice2choice (E p) x) 

PE (optmizedProcess+ i c p) x = optmizedProcessoo i c (PE p (choice20ptimizedChoice2choice (E p 
I (optmizedProcess+ i c p) = choice20ptimizedChoice (I p) 

PI (optmizedProcess+ i c p) x = optmizedProcessoo i c (PI p (choice20ptimizedChoice2choice (I p) a 
T (optmizedProcess+ i c p) = choice20ptimizedChoice (T p) 

PT (optmizedProcess+ i c p) x = PT p (choice20ptimizedChoice2choice (T p) x) 

Str+ (optmizedProcess+ i c p) = Str+ p 


A.68 process20ptimizedProcess2.agda 


module process20ptimizedProcess2 where 


open import choiceSetU 
open import choiceSetUOptimized2 
open import labelUniv 
open import Size 

open import Data.String renaming (_++_ to _++s_) 
open import process 


a 
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A.69. process20ptimizedProcess3.agda 
o-o 


mutual 

optmizedProcessoo : ( i : Size) { lu : LUniv}(c : Choice) ( p : Processoo i {lu} c ) 

—> Processoo i {lu} c 

forcep (optmizedProcessoo i c p) {j } = optmizedProcess j c (forcep p {j}) 

Stroo (optmizedProcessoo i c p) = Stroo p 

optmizedProcess : (z : Size) {lu : LUniv}(c : Choice) (p : Process i {lu} c ) 

—> Process * {lu} c 

optmizedProcess i c (terminate x) = terminate x 
optmizedProcess i c (node x) = node (optmizedProcess+ i c x) 

optmizedProcess+ : (z : Size) {lu : LUniv}(c : Choice) (p : Process+ i {lu} c ) 

—*■ Process+ i {lu} c 

E (optmizedProcess+ i c p) = choice20ptimizedChoice (E p) 

Lab (optmizedProcess+ i c p) x = Lab p (choice20ptimizedChoice2choice (E p) x) 

PE (optmizedProcess+ i c p) x = optmizedProcessoo i c (PE p (choice20ptimizedChoice2chc 
I (optmizedProcess+ i c p) = choice20ptimizedChoice (I p) 

PI (optmizedProcess+ i c p) x = optmizedProcessoo i c (PI p (choice20ptimizedChoice2choic 
T (optmizedProcess+ i c p) = choice20ptimizedChoice (T p) 

PT (optmizedProcess+ i c p) x = PT p (choice20ptimizedChoice2choice (T p) x) 

Str+ (optmizedProcess+ i c p) = Str+ p 


A. 69 process20ptimizedProcess3.agda 


module process20ptimizedProcess3 where 


open import choiceSetU 
open import choiceSetUOptimized3 
open import labelUniv 
open import Size 

open import Data.String renaming (_++_ to _++s_) 
open import process 


mutual 

optmizedProcessoo : (i : Size) {lu : LUniv}(c : Choice) (p : Processoo i {lu} c) 
—> Processoo i {lu} c 


o 


-o 
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forcep (optmizedProcessoo i c p) {j} = optmizedProcess j c (forcep p {j}) 

Strcx) (optmizedProcessoo i c p) = Stroo p 

optmizedProcess : (i : Size) {lu : LUniv}(c : Choice) (p : Process i { lu } c) 

—> Process i {lu} c 

optmizedProcess i c (terminate x) = terminate x 
optmizedProcess i c (node x) = node (optmizedProcess+ i c x) 

optmizedProcess+ : (* : Size) {lu : LUniv}(c : Choice) (p : Process+ i {lu} c) 

—)■ Process+ * {lu} c 

E (optmizedProcess+ i c p) = choice20ptimizedChoice (E p) 

Lab (optmizedProcess+ i c p) x = Lab p (choice20ptimizedChoice2choice (E p) x) 

PE (optmizedProcess+ i c p) x = optmizedProcessoo i c (PE p (choice20ptimizedChoice2choice (E p 
I (optmizedProcess+ i c p) = choice20ptimizedChoice (I p) 

PI (optmizedProcess+ i c p) x = optmizedProcessoo i c (PI p (choice20ptimizedChoice2choice (I p) a 
T (optmizedProcess+ i c p) = choice20ptimizedChoice (T p) 

PT (optmizedProcess+ i c p) x = PT p (choice20ptimizedChoice2choice (T p) x) 

Str+ (optmizedProcess+ i c p) = Str+ p 


A.TO proofAss.agda 


--@PREFIX@mainproofAss 
module proof Ass where 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


mport process 
mport TraceWithoutSize 
mport Size 
mport choiceSetU 
mport auxData 
mport Data.Maybe 
mport Data.Product 
mport interleave 
mport Data.List 
mport Data.Sum 
mport renamingResult 
mport RefWithoutSize 


-o 





598 


A.70. proofAss.agda 
o-o 


open import dataAuxFunction 
open import lemFmap 
open import traceEquivalence 
open import Data.Product 
open import labelllniv 
open import auxData 

maybeChoice : {c 0 c\ c 2 : Choice} — Set 

maybeChoice {c 0 } {c x } {c 2 } = ((ChoiceSet c 0 auxData. x ChoiceSet c x ) auxData. x ChoiceSet 


mutual 

--@BEGIN@AssIntDef 

Ass|||+ : {lu : LUniv}{c 0 c\ c 2 : Choice} ( P : Process+ oo { lu } c 0 ) 

( Q : Process+ oo { lu } ci) 

(Z : Process+ oo {lu} c 2 ) 

—F ((P 111d—F Q) HH—F Z) C-F fmap+ Assx {P |j|H — F ( Q |||d — F Z )) 

Ass |||-h P Q Z .[] .nothing empty = empty 
Ass |||+ P Q Z .{ Lab Pi:: l ) m (extc l .m (inji x) a;i) 

= extc l m (injx (inji x )) (Ass|||oo++ (PE Pi) Q Z l m x i) 

Ass111-h P Q Z .(Lab Q x :: /) m (extc l .m (inj 2 (inji x)) a;i) 

= extc l m (injx (inj 2 x)) (Ass|||+oo+ P (PE Q x) Z l m X\) 

Ass |||+ P Q Z.(Lab Z y :: /) m (extc l .m (inj 2 (inj 2 y )) x\) 

= extc l m (inj 2 y) (Ass|||++oo P Q {PE Z y) l m x i) 

Ass|||+ P Q Z l m (intc .1 .m (injx x) X\) 

= intc l m (injx (injx x)) (Ass| | |oo++ (PI Pi) Q Z l m x\) 
Ass|||+ P Q Z l m (intc .1 .m (inj 2 (inj x x)) X\) 

= intc l m (inji (inj 2 x )) (Ass|||+oo+ P (PI Q x) Z l m x\) 
Ass 111-h P Q Z l m (intc .1 .m (inj 2 (inj 2 y)) x\) 

= intc l m (injo y) (Ass|j|++oo P Q (PI Z y) l m xi) 

Ass||| + PQZ.[] .(just ((PT Pi„ PT Q Xl )„ PT Z x 2 )) 

(terc (a;,, (xi „ x 2 ))) = terc ((x„ x ± ) „ a^) 

--(SEND 


Ass|||oo-F+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(F : Processoo oo c 0 ) 

{Q : Process-F oo {lu} ci) 

{Z : Process-F oo {lu} c 2 ) 


O- 


-o 
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-+ Refoo (((P |||oo+ Q ) |||oo+ Z)) (fmapoo Assx ( P |||oo+ (Q |||++ Z))) 
Ass11 1 co+H- P Q Z l m (tnode tr ) = tnode (Ass|||+pp (forcep P) Q Z l m tr) 

Ass|||+oo+ : {lu : LUniv}{co c\ c 2 : Choice}(P : Process+ oo { lu } cq) 

( Q : Processoo oo c\) 

(Z : Process+ oo { lu } c 2 ) 

—> Refoo (((P IH+oo Q) 1 11 oo+ Z)) (fmapoo Assx ( P |||+oo (Q |||oo+ Z))) 
Ass|||+oo+ P Q Z l m (tnode tr) = tnode (Assj||p+p P (forcep Q) Z l m tr) 

Ass|||++oo : {lu : LUniv}{co c\ c 2 : Choice}(P : Process+ oo {lu} cq) 

( Q : Process+ oo {lu} ci) 

(Z : Processoo oo c 2 ) 

—> Refoo (((P |||++ Q) IH+oo Z)) (fmapoo Assx ( P |||+oo (Q |||+oo Z))) 

Ass111++oo P Q Z l m (tnode tr) = tnode (Ass|||pp+ P Q (forcep Z) l m tr) 

Ass|||+pp : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process oo c 0 ) 

(Q : Process+ oo {lu} c\) 

(Z : Process+ oo {lu} c 2 ) 

—> Ref+ {{{P i||p+ Q) ||H—h Z)) (fmap+ Assx ( P j||p+ {Q jj|H—h Z))) 

Ass| | |+pp (terminate x) Q Z l m tr = Ass|||-++ Q Z x l m tr 

Ass|| |+pp (node x) Q Z l m tr = Ass111 + x Q Z l m tr 

Ass|11p+p : {lu : LUniv}{co c\ c 2 : Choice}(P : Process+ oo {lu} Co) 

(Q : Process oo c\) 

(Z : Process+ oo {lu} c 2 ) 

—> Ref+ (((P |||+P Q) ||H—I - Z)) (fmap+ Assx ( P |||H—f- (Q |||p+ Z))) 

Ass|11p+p P (terminate x) Z l m tr = Ass|||+-+ P Z x l m tr 
Ass|11p+p P (node x) Z l m tr = Ass111 + P x Z l m tr 

Ass11jpp+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} C\) 

(Z : Process oo c 2 ) 

—> Ref+ {{{P ||H—b Q) |||+P Z)) (fmap+ Assx ( P |||H—f- (Q |||+p Z))) 

Ass111pp+ P Q (terminate x) l m tr = Ass|||++- P Q m l x tr 
Ass111pp+ P Q (node x) l m tr — Ass111 + P Q x l m tr 


a 


-o 
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Ass|||-++ : {lu : LUniv}{c 0 Ci c 2 : Choice}(Q : Process+ oo { lu } Ci) 

(Z : Process+ oo {lu} c 2 ) 

—> (x : ChoiceSet c 0 ) 

—y ( l : List (Label lu)) 

—>■ (m : Maybe maybeChoice) 

—> (x 2 : Tr+ l m (fmap+ Assx (fmap+ x) ( Q |||++ Z)))) 

—> Tr+ l m (fmap+ x) Q |||++ Z) 

Ass|||-++ Q Z x .[] .nothing empty = empty 

Ass|||-++ Q Z x .(Lab Q x\ :: 1) m (extc l .m (inji a;i) x 2 ) = extc l m (inji x\) (Ass|||-oo+ (F 

Ass| || —|—(- Q Z x .(Lab Z y :: l) m (extc l .m (inj 2 y) x 2 ) = extc l m (inj 2 y ) (Ass11 1-- 

Ass|||-++ Q Z x l m (intc .1 .m (inji £i) x 2 ) = intc l m (inji %i) ( Ass| | j-c 

Ass|||-++ Q Z x l m (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y ) (Ass| 11 —I 

Assj jj —|—I- Q Z x .[] .(just ((x „ PT Q x x ) „ PT Z x 2 )) (terc (x x „ a^)) = terc (xi „ x 2 ) 


Ass111H—h : {lu : LUniv}{co ci c 2 : Choice}(F : Process+ 00 {lu} cq) 

(Z : Process+ 00 {lu} c 2 ) 

—> (x : ChoiceSet ci) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—> (tr : Tr+ l m (fmap+ Assx (P |||++ fmap+ (_,,_ x) Z))) 

->• Tr+ l m (fmap+ (X a —> a „ x) P \ \ |++ Z) 

Ass111H—|- P Z x .[] .nothing empty = empty 

Ass111H—|- P Z x .(Lab P x\ :: l) m (extc l .m (inji £ 1 ) £ 2 ) = extc l m (inji Xi)(Ass|||oo-+ (PE 
Ass111H—|- P Z x .(Lab Z y :: l) m (extc l .m (inj 2 y) x 2 ) = extc l m (inj 2 y) (Ass|||+- 

Ass111H—|- P Z x l m (intc .1 .m (inji £ 1 ) x 2 ) = intc l m (inji tci)( Ass| 11 oo- 

Ass111H—|- P Z x l m (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y) (Ass111 H— 

Assj j jH—h P Z x .[] .(just ((PT P x\ ,, x) ,, PT Z x 2 )) (terc (zi ,, x 2 )) = terc (ay ,, x 2 ) 


Ass111H —|— : {lu : LUniv}{co ci c 2 : Choice}(F : Process+ 00 {lu} cq) 

(Q : Process+ 00 {lu} c\) 

—> (m : Maybe maybeChoice) 

—> (l : List (Label lu)) 

(x : ChoiceSet c 2 ) 

—> (tr : Tr+ l m (fmap+ Assx (P |||++ fmap+ (X a —> a ,, x) Q ))) 

—> Tr+ l m (fmap+ (X a —* a „ x) (P ||j++ Q)) 

Ass111H—|— P Q .nothing .[] x empty = empty 

Ass11 ]H—|— P Q m .(Lab P x 1 :: l) x (extc l .m (inji ^ 1 ) % 2 ) = extc l m (inji £ 1 ) (Ass111 00 H— (F 
Ass111H—|— P Q m .(Lab Q y :: l) x (extc l .m (inj 2 y) x 2 ) = extc l m (inj 2 y) (Ass|||+( 


o 


-o 
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Ass111-|-H— P Q m l x (intc .1 .m (inji x\) x 2 ) = intc l m (inji xi) (Ass111ooH— (PI . 

Ass111H-H— P Q m l x (intc .1 .m (inj 2 y) X 2 ) = intc l m (inj 2 y) (Ass|||+oo- P (F 

Assjj j-|—|— P Q .(just ((PT P x 1 „ PT Q x 2 ) „ x)) .[] x (terc (xi „ X 2 )) = terc (xi „ x 2 ) 


Ass|||-oo+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(() : Processoo 00 Ci) 

(Z : Process+ 00 {lu} c 2 ) 

—j- (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—y (x 2 : Troo l m (fmapoo Assx (fmapcxo (_,,_ x) (Q |||oo+ Z)))) 

—> Trcxa l m (fmapcxo (_,,_ x) Q |||oo+ Z) 

Ass|||-oo+ Q Z x l m (tnode tr) = tnode (Ass|||-p+ (forcep Q) Z x l m tr) 


Ass11 1 00 —|- : {lu : LUniv}{co c,\ c 2 : Choice}(P : Processoo 00 c 0 ) 

( Z : Process+ 00 {lu} c 2 ) 

—> (x : ChoiceSet c\) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—y (x 2 : Troo l m (fmapoo Assx ( P |||oo+ fmap+ (_,,_ x) Z))) 
—> Troo l m (fmapoo (X a —>• a „ x) P |||oo+ Z) 

Ass 11 1 00 -+ P Z x l m (tnode tr) = Ass|||p-+ (forcep P) Z x l m tr 


Ass 11 1 ooH — : {lu : LUniv}{c 0 c,\ c 2 : Choice}(P : Processoo 00 c 0 ) 

( Q : Process+ 00 {lu} c\) 


—> ( m 

: Maybe maybeChoice) 

(I 

: List (Label lu)) 

—> {x 

: ChoiceSet c 2 ) 


—)■ ( x 2 : Troo l m (fmapoo Assx ( P |||oo+ fmap+ (X a —> a ,, x) Q))) 
—> Troo l m (fmapoo (X a —> a „ x) ( P |||oo+ Q)) 

Ass 11 1 ooH — P Q m l x (tnode tr) = tnode (Ass11 1 pH— (forcep P) Q m l x tr) 


+ 00 - : 

{lu : LUniv}{co c\ c 2 : 

Choice}(P 

: Process+ 00 {lu} cq) 


(Q : 

Processoo 00 ci) 

—» (m 

: Maybe maybeChoice^ 



(I 

: List (Label lu)) 



—> (x 

: ChoiceSet c 2 ) 




a 


o 
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—> ( X 2 : Troo l m (fmapoo Assx ( P |j|+oo fmapoo (X a —y a „ x) Q ))) 
—>• Troo l m (fmapoo (X a —>■ a „ x) (P |||+oo Q )) 

Ass|||+oo- P Q m l x (tnode tr) = tnode (Ass|||+p- P (forcep Q) m l x tr) 


Ass111H—oo : {lu : LUniv}{co c\ c 2 : Choice}(P : Process+ 00 { lu } Co) 

(Z : Processoo 00 c 2 ) 

—> (x : ChoiceSet c\) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—y (x 2 : Troo l m (fmapoo Assx (P |jj+oo fmapoo (_,,_ x) ( Z)))) 

—> Troo l m (fmap+ (X a —a „ x) P |||+oo Z) 

Ass111H— 00 P Z x l m (tnode tr) = tnode (Ass|||+-p P (forcep Z) x l m tr) 


Ass|||-+oo : {lu : LUniv}{co c\ c 2 : Choice}(Q : Process+ 00 {lu} c\) 

(Z : Processoo 00 c 2 ) 


—>■ (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—> (x2 : Troo l m (fmapoo Assx (fmapoo (_,,_ x) ( Q |||+oo Z )))) 

—)• Troo l m (fmap+ (_,,_ x) Q |jj+oo Z) 

Ass|||-+oo Q Z x l m (tnode tr) = tnode (Ass|||-+p Q (forcep Z) x l m tr) 


Ass -p+ : {lu 

: LUniv}{co c\ c 2 : Choice}(Q : Process 00 c\) 


(Z : Process+ 00 {lu} c 2 ) 

—> (x : 

ChoiceSet c 0 ) 

(l : 

List (Label lu)) 

—> (m : 

Maybe maybeChoice) 


—y (x 2 : Tr+ l m (fmap+ Assx (fmap+ (_,,_ x)(Q |||p+ Z)))) 
—y Tr+ l m (fmap (_^,_ x) Q ||jp+ Z) 

Ass|||-p+ (terminate q) Z x l m tr = Ass111—+ Z q x l m tr 
Ass11 |-p+ (node q) Z x l m tr = Ass| 11-++ q Z x l m tr 


Ass|||+-p 


—> (x 
— > (m 


{lu : LUniv}{co c\ c 2 : Choice}(F : Process+ 00 {lu} Co) 
(Z : Process 00 c 2 ) 

: ChoiceSet ci) 

: List (Label lu)) 

: Maybe maybeChoice) 


a 


-o 
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—>• (x 2 : Tr+ l m (fmap+ Assx (P |j|+p fmap x) Z))) 

—> Tr+ l m (fmap+ (X a —> a „ x) P lll+p Z) 

Ass11 1 H—p P (terminate x) X\ l m X 2 = Ass 1 11 H— P m l x\ x X 2 

Ass111H—p P (node x) X\ l m X 2 = Ass1 1 j H—|- P x x \ l m x 2 

Ass|||+p- : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process+ 00 { lu } c 0 ) 

(Q : Process 00 Ci) 

—>■ (m : Maybe maybeChoice) 

—>■ (l : List (Label lu)) 

—y (x : ChoiceSet c 2 ) 

—y ( 0 C 2 : Tr+ l m (fmap+ Assx (P |||+p fmap (h->d„i) Q))) 

—> Tr+ l m (fmap+ (X a —>■ a ,, x) (P |||+p Q)) 

Ass|||+p- P (terminate x) m l x 1 X 2 = Ass 1 11 H— P ml x x 1 X 2 
Ass|||+p- P (node x) m l X\ x 2 = Ass|jj++- P x m l x 1 X 2 

Ass111pH— : {lu : LUniv}{c 0 c\ c 2 : Choice}(F : Process 00 Co) 

( Q : Process+ 00 {lu} c\) 

—> (m : Maybe maybeChoice) 

—> (l : List (Label lu)) 

—y (x : ChoiceSet c 2 ) 

—y (x 2 : Tr+ l m (fmap+ Assx (P ||jp+ fmap+ (X a —> a „ x) Q))) 
—y Tr+ l m (fmap+ (Xa->a„i)(P |||p+ Q)) 

Ass1 1 j pH— (terminate x) Q m l x 1 X 2 = Ass| 11—I— Q x x 1 l m X 2 
Ass 1 1 j pH — (node x) Q m l x 1X2 = Ass|||++- x Q ml x 1X2 

Ass111p-+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process 00 c 0 ) 

(Z : Process+ 00 {lu} c 2 ) 

—j- (x : ChoiceSet c\) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—y (x 2 : Tr+ l m (fmap+ Assx (P ||jp+ fmap+ (_„_ x) Z))) 

—> Tr l m (node (fmap (X a —> a „ x) ( P) ||jp+ Z)) 

Ass|||p-+ (terminate x) Z x\ l m x 2 = tnode (Assj 11 —+ Z x\ x l m X 2 ) 

Ass|11p—h (node x) Z x\ l m X 2 = tnode (Ass|||+-+ x Z x 1 l m X 2 ) 

Ass|||-+p : {lu : LUniv}{c 0 c\ c 2 : Choice}(Q : Process+ 00 {lu} c\) 

(Z : Process 00 c 2 ) 

—v (x : ChoiceSet c 0 ) 


a 
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—> (l : List (Label lu )) 

—>• (m : Maybe maybeChoice) 

—>• (x 2 : Tr+ l m (fmap+ Assx (fmap+ x) (Q |||+p Z )))) 
—> Tr+ l m (fmap+ x) Q |||+p Z) 

Ass|||—|-p Q (terminate x) x\ l m tr = Ass|11—!— Q x\ x l m tr 
Ass|||—|-p Q (node x) x\ l m tr = Ass|||-++ Q x x\ l m tr 


Ass111H— : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

—> (m : Maybe maybeChoice) 

—> (l : List (Label lu)) 

—> (x : ChoiceSet c\) 

—y (xi : ChoiceSet c 2 ) 

—y (x 2 : Tr+ l m (fmap+ Assx (fmap+ (X a —> a „ (x „ X])) P))) 

—> Tr+ l m (fmap+ (X a —> a ,, xi) (fmap+ (X a —> a ,, x) P)) 

Ass11 1 H— P .nothing .[] xxi empty = empty 

Ass 1 11H— Pm .(Lab P x 2 :: l) x x\ (extc l .m x 2 X 3 ) = extc l m x 2 ( Ass| 1 1 00 — (PE Px 2 ) m 

Ass 1 11H— P m l x x 1 (intc ./ .m x 2 x 3 ) = intc l m x^ (Ass1 11 00 — (PI P x^) m 1 

Ass|11H— P .(just ((PT P x 2 „ x) „ Xi)) .[] x Xi (terc x 2 ) = terc x^ 


Ass11 1 00 — : {lu : LUniv}{c 0 c\ c 2 : Choice}(F : Processoo 00 c 0 ) 

—> (m : Maybe maybeChoice) 

—> (l : List (Label lu)) 

—> (x : ChoiceSet cj 
—y (xi : ChoiceSet c 2 ) 

—y (X 3 : Troo l m (fmapoo Assx (fmapoo (X a —> a „ (x ,, xi)) P))) 

—)• Troo l m (fmapoo (X a —> a „ Xi) (fmapoo (X a —» a ,, x) P )) 

Ass11 1 00 — P m l x x 1 tr = Ass 11 1 p— (forcep P) x x\ l m tr 

Ass|1 1 —+ : {lu : LUniv}{co c\ c 2 : Choice}(Z : Process+ 00 {lu} c 2 ) 

—> (q : ChoiceSet Ci) 

—> (x : ChoiceSet c 0 ) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—> (tr : Tr+ l m (fmap+ Assx (fmap+ (_,,_ x) (fmap+ (_„_ q) Z)))) 

—> Tr+ l m (fmap+ (_,,_ (x „ q)) Z) 

Ass| 1 1 —h Z q x .[] .nothing empty = empty 

Ass| || —h Z q x .(Lab Z x\ :: 1) m (extc l .m x\ x 2 ) = extc l m X\ (Ass111 — 00 (F 

Ass| || —|- Z q x l m (intc .1 .m X\ x^) = intc l m X\ (Ass |||— 00 (P 

Ass 11 1 —F Z q x .[] .(just ((x„ q) „ PT Z xi)) (terc xi) = (terc xi) 


o 


-o 
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Ass11 1 —I— : {lu : LUniv}{c 0 ci c 2 : Choice}(Q : Process+ oo { lu } ci) 

—>■ (Xi : ChoiceSet c 0 ) 

—^ (x : ChoiceSet c 2 ) 

—>• ( l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—?• (tr : Tr+ l m (fmap+ Assx (fmap+ x±) (fmap+ (X a -»• a„ x) Q)))) 

—> Tr+ l m (fmap+ (X a —> a ,, x) (fmap+ x\) Q)) 

Ass11 1 —|— Q xi x .[] .nothing empty = empty 

Ass11 1 —|— Q xi x .(Lab Q x 2 :: l) m (extc l .m x 2 X 3 ) = extc l m x 2 (Ass|||-oo- (PE Q x 2 ) m l x\ x x-. 

Ass11 |-H— Q x\ x l m (intc .1 .m x 2 X 3 ) = intc l m x 2 (Ass11 |-oo- (PI Q X 2 ) m l x 1 x X 3 ] 

Ass|1 1 —|— Q x 1 x .[] .(just ((xi „ PT Q x 2 ) „ x)) (terc x 2 ) = (terc x 2 ) 


Ass111 —00 : {lu : LUniv}{c 0 c\ c 2 : Choice}(Z : Processoo 00 c 2 ) 

—>■ ( q : ChoiceSet C\) 

—>• (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—> (x 2 : Troo l m (fmapoo Assx (fmapoo (_,,_ x) (fmapoo (_,,_ q) Z )))) 
—> Troo l m (fmapoo (_,,_ (x ,, q)) Z ) 

Ass111— 00 Z q x l m tr = Ass111—p (forcep Z) x q l m tr 


Ass1 1 |-oo- : {lu : LUniv}{c 0 ci c 2 : Choice}(<5 : Processoo 00 C\) 

—)■ (m : Maybe ((ChoiceSet c 0 auxData.x ChoiceSet c\) auxData.x ChoiceSet c 2 )) 
—> (l : List (Label lu)) 

—y (x : ChoiceSet c 0 ) 

—>■ (x\ : ChoiceSet c 2 ) 

—>■ (x 3 : Troo l m (fmapoo Assx (fmapoo (_,,_ x) (fmapoo (X a ->• ®i) Q)))) 

—>■ Troo l m (fmapoo (X a — > a „ x\) (fmapoo (_,,_ x) Q)) 

Ass11 |-oo- Q m l x X\ tr = Ass|||-p- (forcep Q) x x 1 l m tr 


Ass|1 1— p : {lu : LUniv}{co c\ c 2 : Choice}(Z : Process 00 c 2 ) 
—> (x : ChoiceSet c 0 ) 

—> (q : ChoiceSet Ci) 

—v (l: List (Label lu)) 


a 
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—> (m : Maybe maybeChoice) 

—>• (x 2 : Tr Im (fmap Assx (fmap x)(fmap q) Z) ))) 

—>• Tr l m (fmap (x ,, g)) Z) 

Ass III—p (terminate x) X\ q l m x 2 = lemFmap (X x 3 —>■ x) ((_,,_ (xi ,, q ))) (terminate (x)) l r 
Ass| 11—p (node x) x\ qlm (tnode tr) = tnode (Ass 111—+ x qx\ l m tr) 


Ass|||-p- : {lu : LUniv}{c 0 C\ c 2 : Choice}(Q : Process oo Ci) 

—y (xi : ChoiceSet c 0 ) 

—> (x : ChoiceSet c 2 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—> (x 3 : Tr l m (fmap Assx (fmap (_,,_ x\) (fmap (X a —)■ a „ x) Q)))) 

-> Tr l m (fmap (X a —> a „ x) (fmap (_,,_ xi) ( Q))) 

Ass|||-p- (terminate x) x\ x 2 l m X 3 = lemFmap ((X X 3 —> x)) (X X 4 —> (xi ,, x) ,, x 2 ) (terminat 
Ass|||-p- (node x) xi qlm (tnode tr) = tnode (Ass 1 1 |-H — xxi q l m tr) 


Ass111p— : {lu : LUniv}{c 0 Ci c 2 : Choice}(F : Process 00 c 0 ) 

—>■ (xi : ChoiceSet ci) 

—)• (x : ChoiceSet c 2 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—>■ (x 3 : Tr l m (fmap Assx (fmap (X a —> a „ (xi „ x)) P))) 

—> Tr l m (fmap (X a —> a ,, x) (fmap (X a —> a ,, xi) P)) 

Ass111p— (terminate x) xi x 2 l m x 3 = lemFmap (X X 4 —> x) (X X 4 —> (x ,, xi) ,, x 2 ) (terminate 
Ass 111 p— (node x) x 3 x 2 l m (tnode tr) = tnode (Ass|||+— xmlx 1 x 2 tr) 


mutual 

Ass111+R : {lu : LUniv}{co ci c 2 : Choice} (P : Process+ 00 {lu} c 0 ) (Q : Process+ 00 {h 
—> fmap+ Assx (P |||-|— F (Q |||d — F Z )) T-f ((P |||H — F Q) |||H — F Z) 

Ass111+R P Q Z ,\\ .nothing empty = empty 

Ass111+R P Q Z .(Lab P x :: l) m (extc l .m ( inj x (injx x)) Xj) = extc l m (inj x x) (Ass|||oo+- 
Ass|||+R P Q Z .(Lab Q y :: l) m (extc l .m (inji (inj 2 y)) x 3 ) = extc l m (inj 2 (inji y)) (Assj 


o 


-o 
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Ass|||+R P Q Z .{ Lab Z y :: /) m (extc l .m (inj 2 y ) £ 1 ) = extc l m (inj 2 (inj 2 y)) (Assj||++ooF 

Ass111 + R P Q Z l m (intc .1 .m (inji (inj! x)) X\) = intc l m ( injx x) (Ass|||oo++R (PI 1 

Ass111 + R P Q Z l m (intc .1 .m ( inj ± (inj 2 y)) Xi) = intc l m (inj 2 (inj x y)) (Ass|||+oo+F 

Ass111 + R P Q Z l m (intc .1 .m (inj 2 y) Xi) = intc l m (inj 2 (inj 2 y)) (Ass|||++ooF 

Assjjj + R P Q Z .[] .(just ((PT P x „ PT Q xi) „ PT Z x 2 )) (terc ((x „ xi) „ a; 2 )) = terc (x „ {x\ „ x 2 ) 

Ass|||oo++R : {lu : LUniv}{c 0 c x c 2 : Choice}(F : Processoo oo c 0 ) 

(Q : Process+ oo {lu} C \) 

(Z : Process+ oo { lu } c 2 ) 

—> Refoo (fmapoo Assx ( P |||oo+ (Q |||++ Z))) (((P |||oo+ Q) |||oo+ Z)) 

Ass|||oo++R P Q Z l m (tnode tr ) = tnode (Assj||+ppR (forcep P) Q Z l m tr) 

Ass|||+oo+R : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

(Q : Processoo oo c x ) 

(Z : Process+ oo {lu} c 2 ) 

—> Refoo (fmapoo Assx ( P |||+oo (Q |||oo+ Z))) (((P |||+oo Q ) |||oo+ Z)) 

Ass|||+oo+R P Q Z l m (tnode tr) = tnode (Ass|||p+pR P (forcep Q) Z l m tr) 

Ass|||++ooR : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} c\) 

(Z : Processoo oo C 2 ) 

—> Refoo (fmapoo Assx ( P |||+oo (Q |||+oo Z))) (((P |||++ Q) |||+oo Z)) 

Ass|||++ooR P Q Z Im (tnode tr) = tnode (Ass|||pp+R P Q (forcep Z) l m tr) 


Ass|||+ppR : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process 00 

( Q : Process+ 00 {lu} C\) 

(Z : Process+ 00 {lu} c 2 ) 

—> Ref+ (fmap+ Assx ( P |||p+ (Q |||d—F Z))) (((P |||p+ 
Ass|||+ppR (terminate x) Q Z l m tr = Ass|||-++R Q Z x l m tr 
Ass|||+ppR (node x) Q Z l m tr = Ass||| + R x Q Z l m tr 


c 0 ) 


Q) III++ z)) 


Ass|||p+pR : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ 00 {lu} c 0 ) 

(Q : Process 00 c x ) 

( Z : Process+ 00 {lu} c 2 ) 

—> Ref+ (fmap+ Assx ( P 1 1 4—f- ( Q |||p+ Z))) (((P |||+p Q) |||4—F Z)) 

Ass|||p+pR P (terminate x) Z l m tr = Ass|||+-+R P Z x l m tr 
Assj 11 p+pR P (node x) Z l m tr = Ass||| + R P x Z l m tr 


a 


-o 
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Ass|||pp+R : {lu : LUniv}{c 0 c x c 2 : Choice}(P : Process+ oo { lu } c 0 ) 

(Q : Process+ oo {lu} c \) 

(Z : Process oo c 2 ) 

—> Ref+ (fmap+ Assx ( P 1114—f- ( Q |||+p Z))) (((P ||H—I - Q) |||+P Z)) 

Ass 111 pp+R P Q (terminate x) l m tr = Ass|||++-R P Q m l x tr 
Ass 111 pp+R P Q (node x) l m tr = Ass||| + R P Q x l m tr 


Ass|||-++R : {lu : LUniv}{c 0 c x c 2 : Choice}(Q : Process+ oo {lu} c\) 

(Z : Process+ oo {lu} c 2 ) 

—y (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—>• (m : Maybe maybeChoice) 

—> (x '2 : Tr+ l m (fmap+ (_,,_ x) Q |||++ Z)) 

—> Tr+ l m (fmap+ Assx (fmap+ (_,,_ x) (Q |||++ Z))) 

Ass|||-++R Q Z x .[] .nothing empty = empty 

Ass|||-++R Q Z x .(Lab Q X\ :: T) m (extc l .m (inj x x±) X 2 ) = extc l m (inj x X\) (Ass|||-oo+F 
Ass|||-++R Q Z x .(Lab Z y :: l) m (extc l .m (inj 2 y) x 2 ) = extc l m (inj 2 y ) (Ass|j|-+ooF 

Ass|||-++R Q Z x l m (intc .1 .m (inj x xi) x 2 ) = intc l m (inj x x\) (Ass|||-oo+R 

Ass|||-++R Q Z x l m (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y ) (Ass|||-+ooR 

Assjjj-++R Q Z x .[] .(just ((x „ PT Q x x ) „ PT Z x 2 )) (terc (zi „ x 2 )) = terc (x x „ x 2 ) 


+-+R : 

{lu : LUniv}{c 0 c x c 2 : 

Choice}(P : 

Process+ 00 {lu} c 0 ) 


(Z: 

Process+ 00 

{lu} c 2 ) 

—y (x 

: ChoiceSet c x ) 



(l 

: List (Label lu)) 



—> (m 

: Maybe maybeChoice) 



—> (tr 

: Tr+ l m (fmap+ (X a 

—>• a ,, x) P 

II ++Z)) 


—> Tr+ l m (fmap+ Assx (P |||++ fmap+ (_,,_ x) Z)) 

Ass111H—|-R P Z x ,\\ .nothing empty = empty 

Ass111H—|-R P Z x .(Lab P x\ :: l) m (extc l .m (inj x x\) x 2 ) = extc l m (inj x xi)(Ass|||oo-+R 

Ass111H—|-R P Z x .{Lab Z y l) m (extc l .m {\r \) 2 y) x 2 ) = extc l m (inj 2 y) (Ass|||+-ooR 

Ass111H—|-R P Z x l m (intc .1 .m (inj x x\) x 2 ) = intc l m (inj x :ci)(Ass|||oo-+R ( 

Ass|||+-+R P Z x l m (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y) (Ass|||+-ooR 

Assj j jH—|-R P Z x .[] .(just ((PT P x\ ,, x) ,, PT Z x 2 )) (terc {x\ ,, x 2 )) = terc (a; x ,, x 2 ) 


Ass111H—|— R : {lu : LUniv}{c 0 c x c 2 : Choice}(F : Process+ 00 {lu} c 0 ) 

(Q : Process+ 00 {lu} c\) 


<y 


-o 
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—> (m : Maybe maybeChoice) 

—» (l : List (Label lu)) 

—» (x : ChoiceSet c 2 ) 

—* (tr : Tr+ l m (fmap+ (X a —» a „ x) (P |||++ Q))) 

—>• Tr+ l m (fmap+ Assx (P |||++ fmap+ (X a —> a ,, x) Q)) 

Ass111+H—R P Q .nothing .[] a; empty = empty 

Ass|||++-R P Q m .(Lab P x\ :: l) x (extc l .m (inj x x\) x 2 ) = extc l m (inj x x\) (Ass|||oo+-R (PE P 

Ass111+H—R P Q m .(Lab Q y :: /) x (extc l .m (inj 2 y) x 2 ) = extc l m (inj 2 y) (Ass|||+oo-R P (PE 

Ass 111+H—R P Q ml x (intc .1 .m (inj x x\) = intc l m (inj x x\) (Ass|||oo+-R (PI P x 

Ass111-|-H—R P Q m l x (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y) (Ass| 11H-oo-R P (PI C 

Assjjj++-R P Q .(just ((PT P x i „ PT Q x 2 ) „ x)) .[] x (terc (xi „ x 2 )) = terc (x x „ x 2 ) 


Ass|||-oo+R : {lu : LUniv}{co c x c 2 : Choice}(Q : Processoo oo c x ) 



(Z : Process+ 

oo {lu} c 2 ) 

—> (x 

: ChoiceSet c 0 ) 


-> (l 

: List (Label lu)) 


—> (m 

: Maybe maybeChoice) 


-t (x 2 : 

Troo l m (fmapoo (_,,_ x) Q 

|||oo+ Z)) 


—>■ Troo l m (fmapoo Assx (fmapoo (_,,_ x) (Q |||oo+ Z))) 

Ass|||-oo+R Q Z x l m (tnode tr) = tnode (Ass|||-p+R (forcep Q) Z x l m tr) 


Ass1 1 1 oo— 1 -R : {lu : LUniv}{c 0 C\ c 2 : Choice}(i : ’ : Processcxa oo c 0 ) 

( Z : Process+ oo {lu} c 2 ) 


—> (x : ChoiceSet c x ) 

—>■ (l : List (Label lu)) 

—>■ (m : Maybe maybeChoice) 

—> (x -2 : Troo l m (fmapoo (X a —?• a ,, x) P |||oo+ Z)) 

—> Troo l m (fmapoo Assx ( P |||oo+ fmap+ (_,,_ x) Z)) 

Ass|||oo-+R P Z x l m tr = tnode (Ass|||p-+R (forcep P) Z x l m tr) 


oo+-R : 

{lu : LUniv}{c 0 c 1 c 2 : Choice}(P 

: Processoo oo c 0 ) 


( Q : Process+ oo {lu} c x ) 

— > (m 

: Maybe maybeChoice) 


(I 

: List (Label lu)) 


—> (x 

: ChoiceSet c 2 ) 


-t (-X2 

: Troo l m (fmapoo (X a —> a ,, 

x) ( P oo+ Q))) 


Troo l m (fmapoo Assx ( P |||oo+ fmap+ (X a — > a ,, x) Q )) 


o 
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Ass111 ooH— R P Q m l x (tnode tr ) = tnode (Ass111 pH— R (forcep P) Q m l x tr) 


Ass|||+oo-R : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu } c 0 ) 

(Q : Processoo oo c\) 

—>• (m : Maybe maybeChoice) 

—>• (l : List (Label lu)) 

—> (x : ChoiceSet c 2 ) 

—y (x 2 : Troo l m (fmapoo (X a —y a ,, x) (P |||+oo Q ))) 

—> Troo l m (fmapoo Assx (P |j|+oo fmapoo (X a —> a ,, x) Q )) 
Ass|||+oo-R P Q m l x (tnode tr) = tnode (Ass|||+p-R P (forcep Q) m l x tr) 


Ass|||+-ooR : {lu : LUniv}{c 0 C\ c 2 : Choice}(F : Process+ oo {lu} c 0 ) 

(Z : Processoo oo c 2 ) 

—>• (x : ChoiceSet c\) 

—> (l : List (Label lu)) 

—>■ (m : Maybe maybeChoice) 

—> (x 2 : Troo l m (fmap+ (X a —^ a ,, x) P |||+oo Z)) 

—)■ Troo l m (fmapoo Assx (P |j|+oo fmapoo (_,,_ x) ( Z))) 

Ass|||+-ooR P Z x l m (tnode tr) = tnode (Ass|||+-pR P (forcep Z) x l m tr) 


+ 00 R 

{lu : LUniv}{c 0 C\ c 2 

: Choice}(Q : Process+ oo {lu} c±) 


(Z: 

Processoo oo c 2 ) 

—> (x 

: ChoiceSet c 0 ) 


-h (l 

: List (Label lu)) 


—> (m 

: Maybe maybeChoice) 


(x 2 

Troo l m (fmap+ (_,,_ 

_ x) Q Too Z)) 


—> Troo l m (fmapoo Assx (fmapoo (_„_ x) (Q |||+oo Z ))) 

Ass|||-+ooR Q Z x l m (tnode tr) = tnode (Ass|||-+pR Q (forcep Z) x l m tr) 


Ass|||-p+R : {lu : LUniv}{c 0 c\ c 2 : Choice}(<5 : Process oo c\) 



(Z: 

—> (x 

: ChoiceSet c 0 ) 

(I 

: List (Label lu)) 

—> (m 

: Maybe maybeChoice) 

-T (x 2 : 

TrT l m (fmap (_,, 


o 


-o 
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—> Tr+ l m (fmap+ Assx (fmap+ x)(Q |||p+ Z ))) 

Ass|||-p+R (terminate q) Z x l m tr = Ass 111 —+ R Z q x l m tr 
Ass|||-p+R (node q) Z x l m tr = Ass|||-++R q Z x l m tr 


Ass 

|+-pR 

: {lu : LUniv}{co c\ c 2 : Choice}(P : Process+ 00 {lu} c 0 ) 
( Z : Process 00 c 2 ) 


—> (x 

: ChoiceSet ci) 


(Z 

: List (Label lu)) 


— > (m 

: Maybe maybeChoice) 


-> {X 2 

: Tr+ l m (fmap+ (X a —> a ,, x) P +p Z)) 


—)■ Tr+ l m (fmap+ Assx (P +p fmap (_,,_ 2;) Z)) 

Ass 

+-pR 

P (terminate x) x\ l m x 2 = Ass H— R P m l x\ x x 2 

Ass 

+-pR 

P (node x) X\ l m x 2 = Ass +-+R P x x\ l m 2^ 

Ass +p-R : 

{lu : LUniv}{c 0 c\ c 2 : Choice}(F : Process+ 00 {lu} c 0 ) 

(Q : Process 00 ci) 


—> (m 

: Maybe maybeChoice) 



: List (Label lu)) 


—> (x 

: ChoiceSet c 2 ) 


{X 2 

: Tr+ l m (fmap+ (Xa-Wi„i) (P +p Q))) 


— > Tr+ l m (fmap+ Assx (P |||+p fmap (X a —> a ,, x) Q )) 

Ass|||+p-R P (terminate x) m l x1X2 = Ass 111 H— R P m l x x 1 2^ 
Ass|||+p-R P (node x) m l x 1X2 = Ass||j++-R P x m l x 1X2 


p+-R : {lu : LUniv}{c 0 c\ c 2 : Choice}(F : Process 00 cq) 


( Q : Process+ 00 {lu} ci) 

— > (m : 

Maybe maybeChoice) 

(Z : 

List (Label lu)) 

— > (x : 

ChoiceSet c 2 ) 

-t (x 2 : 

Tr+ l m (fmap+ (X a —>■ a „ 2;) ( P p+ Q))) 


—> Tr+ l m (fmap+ Assx (P |||p+ fmap+ (X a —> a ,, x) Q )) 

Ass 11 j pH— R (terminate x) Q ml x 1X2 = Ass|||-+-R Q x X\ l m x2 
Ass 111 pH— R (node x) Q m l x 1X2 = Ass|||++-R x Q ml x 1X2 


Ass 111 p-+R : {lu : LUniv}{c 0 c\ C2 : Choice}(P : Process 00 Co) 

(Z : Process+ 00 {lu} c 2 ) 

—> (x : ChoiceSet ci) 

—>■ (l : List (Label lu)) 


a 


-o 
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—y (m : Maybe maybeChoice) 

—y (0C2 : Tr l m (node (fmap a —y a ,, x) ( P) |||p+ Z))) 

—y Tr+ l m (fmap+ Assx (P jj|p+ fmap+ x) Z )) 
Ass|||p-+R (terminate x) Z x\ l m (tnode tr) = Ass|||—+R Z x\ x l m tr 
Ass|||p-+R (node x) Z x\ l m (tnode tr) = Ass|||+-+R x Z x 1 l m tr 


Ass|||-+pR : {lu : LUniv}{c 0 c\ c 2 : Choice}^ : Process+ 00 { lu } ci) 



(Z : Process 00 c 2 ) 

—y (x 

: ChoiceSet c 0 ) 

-y (l 

: List (Label lu)) 

—y (m 

: Maybe maybeChoice) 

-y (x 2 : 

Tr+ l m (fmap+ (_„_ x) Q +p Z)) 


—y Tr+ l m (fmap+ Assx (fmap+ (_,,_ x) (Q |||+p Z ))) 

Ass|||-+pR Q (terminate x) x\ l m tr = Ass|||-+-R Q x\ xl m tr 
Ass|||-+pR Q (node x) x\ l m tr = Ass|||-++R Q x x\ l m tr 


Ass 111 H— R : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ 00 {lu} c 0 ) 

—> (m : Maybe maybeChoice) 

—> (l : List (Label lu)) 

—> (x : ChoiceSet c\) 

—)• (xi : ChoiceSet c 2 ) 

—> (0C2 ■ Tr+ l m (fmap+ (X a —> a „ xi) (fmap+ (X a —> a ,, x) P))) 

—y Tr - ! - I m (fmap - ! - Assx (fmap - ! - (X a —y a M (x,, X\ ))P)) 

Ass111-I— R P .nothing .[] x x\ empty = empty 

Ass111-|— R P m .(Lab P x 2 :: l) x x\ (extc l .m X 2 £ 3 ) = extc l m xn. (Ass|| |oo— R (PE 

Ass|11-|— R P m l x X\ (intc .1 .m X 2 x 3 ) = intc l m rc 2 (Ass|||oo— R (PI 

Ass|11-|— R P .(just ((PT P X 2 „ x) „ xi)) .[] x Xi (terc X 2 ) = terc x 2 


Ass|||oo- - R : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Processoo 00 c 0 ) 

—y (m : Maybe maybeChoice) 

—y (l : List (Label lu)) 

—y (x : ChoiceSet ci) 

—y (xi : ChoiceSet c 2 ) 

—y (x3 : Troo l m (fmapoo (X a —y a ,, xi) (fmapoo (X a —y a „ x) P ))) 

—y Troo l m (fmapoo Assx (fmapoo (X a — y a ,, (x ,, xi)) P)) 

Ass|||oo- - R P m l x Xi tr = Ass| 11 p— R (forcep P) x x 1 l m tr 


a 


-o 
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Ass III—|- R : {lu : LUniv}{co c\ c 2 : Choice}(Z : Process+ oo {lu} c 2 ) 

—» (q : ChoiceSet ci) 

—>■ (a: : ChoiceSet c 0 ) 

—» (/: List (Label lu)) 

—» (m : Maybe maybeChoice) 

—> (tr : Tr+ l m (fmap+ (x „ q)) Z)) 

—> Tr+ l m (fmap+ Assx (fmap+ x) (fmap+ q) Z))) 

Ass III—|- R Z q x .[] .nothing empty = empty 

Ass III—|- R Z q x .(Lab Z X\ :: T) m (extc l .m X\ X2) = extc l m X\ (Ass|||—00R (PE Z ay) q x l m x 

Ass III—|- R Z q x l m (intc .1 .m x\ X2) = intc l m x\ (Ass 111 —00R (PI Z x 1) q x l m x2 

Assjjj—+R Z qx .[] .(just ((x „ q) „ PT Z x 1)) (terc x\) = (terc xi) 


Ass 11 1 —|— R : {lu : LUniv}{c 0 Ci c 2 : Choice}(Q : Process+ 00 {lu} ci) 

—> (x\ : ChoiceSet c 0 ) 

—> (x : ChoiceSet c 2 ) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—> (tr : Tr+ l m (fmap+ (X a —» a „ x) (fmap+ (_,,_ x\) Q))) 

—> Tr+ l m (fmap+ Assx (fmap+ (_„_ x\) (fmap+ (X a —>■ a „ x) Q))) 

Ass 11 1 —|— R Q x 1 x .[] .nothing empty = empty 

Ass 11 1 —|— R Q x 1 x .(Lab Q x 2 :: l) m (extc l .m x 2 X3) = extc l m x 2 (Ass|||-oo-R (PE Q x 2 ) 1 

Ass 11 1 —|— R Q X\ x l m (intc .1 .m X2 X3) = intc l m X2 (Ass|||-oo-R (PI Q x 2 ) m 

Ass| 1 1 —|—R Q x 1 x .[] .(just ((xi „ PT Q 0C2) „ x)) (terc x 2 ) = (terc x 2 ) 

Ass| 11 —00R : {lu : LUniv}{c 0 c\ c 2 : Choice}(Z : Processoo 00 c 2 ) 

—>■ (q : ChoiceSet c\) 

—> (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—>• (m : Maybe maybeChoice) 

—>■ (x2 : Troo l m (fmapoo (_,,_ (x „ q)) Z)) 

—y Troo l m (fmapoo Assx (fmapoo (_,,_ x) (fmapoo ( „ q) Z ))) 

Ass| 11 —00R Z q x l m tr = Ass 111 —pR (forcep Z) x q l m tr 

Ass|||-oo-R : {lu : LUniv}{c 0 c± c 2 : Choice}(Q : Processoo 00 C\) 

(m : Maybe maybeChoice) 

—> (l : List (Label lu)) 

—> (x : ChoiceSet c 0 ) 

-> (xi : ChoiceSet c 2 ) 

—> ( x 3 : Troo l m (fmapoo (X a —> a ,, Xi) (fmapoo (_,,_ x) Q))) 

—> Troo l m (fmapoo Assx (fmapoo (_,,_ x) (fmapoo (X a a „ x\) Q))) 


a 


■o 
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Ass| | |-oo-R Q m l x x i tr = Ass|||-p-R (forcep Q) x x\ l m tr 


Ass III—pR : {lu : LUniv}{c 0 C\ c 2 : Choice}(Z : Process oo c 2 ) 

—>• (x : ChoiceSet c 0 ) 

—>■ (q : ChoiceSet c\) 

—)■ (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

—>• (x2 : Tr l m (fmap (x „ q)) Z )) 

—> Tr l m (fmap Assx (fmap (__ x)(fmap (_„_ q) Z) )) 

Ass| 1 1 —pR (terminate x) x\ q l m x 2 = lemFmapR (X S3 —*■ x) ((_,,_ (aq ,, q))) (terminate (x)) 
Ass| 11 —pR (node x) x\ q l m (tnode tr) = tnode (Ass| 1 1 —+R x qx\ l m tr) 

Ass|||-p-R : {lu : LUniv}{c 0 c\ c 2 : Choice}^ : Process 00 C\) 

—>• (xi : ChoiceSet c 0 ) 

—>• (x : ChoiceSet c 2 ) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

->■ ■ Tr l m (fmap (X a —> a ,, x) (fmap (_,,_ X\) ( Q)))) 

—>■ Tr l m (fmap Assx (fmap (_,,_ x\) (fmap (X a —)■ a „ x) Q))) 

Ass|||-p-R (terminate x) x\ x 2 l m X3 = lemFmapR ((X X3 —)• x)) (X X4 —)• (a;i ,, x) ,, a; 2 ) (termi 
Ass|||-p-R (node x) x\ x 2 l m (tnode tr) = tnode (Ass 1 1 |-H— R x x\ x 2 l m tr) 


Ass 111 p— R : {lu : LUniv}{c 0 Ci c 2 : Choice}(P : Process 00 c 0 ) 

—y (x\ : ChoiceSet ci) 

(x : ChoiceSet c 2 ) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeChoice) 

-»■ (^3 : Tr l m (fmap (X a —>• a ,, x) (fmap (X a —> a ,, X\) P))) 

—y Tr l m (fmap Assx (fmap (X a —» a „ (xi ,, x)) P)) 

Ass 111 p — R (terminate x) x\ x 2 l m X3 — lemFmapR (X 24 —>• x) (X X4 —> (a:,, x'i) ,, x 2 ) (termin; 
Ass 111 p— R (node x) x\ x 2 l m (tnode tr) = tnode (Ass|||-j—R x m l x 1 x 2 tr) 


--@BEGIN@EqAssIntDef 


+ : {lu : LUniv}{c 0 c\ c 2 : Choice} 
(P : Process+ 00 {lu} c 0 ) 

(Q : Process+ 00 {lu} ci) 

(Z : Process+ 00 {lu} c 2 ) 


a 


-o 
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—> ((P |||h—F Q ) |||H—F Z) =+ (fmap+ Assx (_P |||-|—(- (Q |||-|—F Z ))) 


--(SEND 


--(SBEGIN(SEqAssIntDefProof 
= |||+ P Q Z = Ass|||+ P Q Z , Ass|||+R P Q Z 


--(SEND 


A. 71 proofAssExt.agda 


--(SPREFIX(Smainproof AssExt 


module proofAssExt where 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


mport process 
mport TraceWithoutSize 
mport Size 
mport choiceSetU 
mport auxData 
mport Data.Maybe 
mport Data.Product 
mport Data.List 
mport Data.Sum 
mport Data.Fin 
mport renamingResult 
mport RefWithoutSize 
mport dataAuxFunction 
mport lemFmap 
mport externalChoice 
mport addTick 
mport Data.Nat 
mport internalChoice 
mport Data.String 
mport traceEquivalence 
mport Data.Product 


o 
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open import labelUniv 

maybeExtC : {c 0 C\ c 2 : Choice} — » Set 

maybeExtC {c 0 } {ci} {c 2 } = ((ChoiceSet c 0 W ChoiceSet ci) l±l ChoiceSet c 2 ) 


mutual 

--@BEGIN@AssExDef 

AD+ : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process+ oo { lu } Co) 

( Q : Process+ oo {lu} c\) 

(Z : Process+ oo {lu} c 2 ) 

—> ((P DH—F Q ) CH—F Z ) C+ fmap+ Assl±)r [P DH—P ( Q DH—I- Z )) 

AD+ P Q Z .[] .nothing empty = empty 
AD+ P Q Z .(Lab P x :: /) m (extc l .m (inji x) x\) = 
let 

x’: Troo l m (fmapoo Asst+Jr (fmapoo inji (PE P ^))) 

x 1 = Xi 

x\ ’ : Troo l m (fmapoo (Assl±)r o inji) ((PE P x))) 
x± ’ = lemFmapoo inji Assttlr (PE P x) l m x’ 

x 2 ’ ■ Troo l m (fmapoo inji (fmapoo inji (PE P x))) 
x 2 ’ = lemFmapooR inji inji (PE P x) l m x\ ’ 

in extc l m (inji (inji z)) x 2 ’ 

AD+ P Q Z .(Lab Q x :: l) m (extc l .m (inj 2 (inji %)) ^i) = 
let 

X\” : Troo l m (fmapoo AssWr 

(fmapoo inj 2 (fmapoo inji (PE Q x)))) 

X\ ” = X\ 

X\ ’ : Troo l m (fmapoo (AssWr o inj 2 ) (fmapoo inji (PE Q x))) 

X\ ’ = lemFmapoo inj 2 Assttlr (fmapoo inji (PE Q x)) Imx i” 

x 2 ’ : Troo l m (fmapoo (AssWr o inj 2 o inji) (PE Q x)) 

x 2 ’ = lemFmapoo inji (Assl+lr o inj 2 ) (PE Q x) l m x±’ 

x 3 ’ : Troo l m (fmapoo inji (fmapoo inj 2 (PE Q x))) 

x 3 ’ = lemFmapooR inj 2 inji (PE Q x) l m x 2 ’ 


a 


-o 
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in extc l m (inji (inj 2 a;)) 3:3 ’ 

AD+ P Q Z .(Lab Z y :: l) m (extc l .m (inj 2 (inj 2 y)) X\) = 
extc l m (inj 2 y) (lemFmapoo inj 2 (Assl+lr o inj 2 ) (PE Z y) 
l m (lemFmapoo inj 2 Assl+lr (fmapoo inj 2 (PE Z y)) l m xi)) 
AD+ P Q Z l m (intc .1 .m (inji x ) x\) = 

intc l m (injx (inji x)) (AHH00++ (PI P x) Q Z l m X\) 

AD+ P Q Z l m (intc .1 .m (inj 2 (inji x)) Xi) = 

intc l m (injx (inj 2 x)) (AHH+00+ P (PI Q x) Z l m X \) 

AD+ P Q Z l m (intc .1 .m (inj 2 (inj 2 y)) xi) = 

intc l m (inj 2 y) (AD++oo P Q (PI Z y) l m x\) 

AD+ P Q Z .[] .(just (inji (inji (PT P x))))(terc (inji x)) = 
terc (inji (inji %)) 

AD+ P Q Z .[] .(just (inji (inj 2 (PT Q x)))) 

(terc (inj 2 (inji x))) = terc (inji (inj 2 x)) 

AD+ P Q Z .[] .(just (inj 2 (PT Z y))) (terc (inj 2 (inj 2 y))) = 
terc (inj 2 y) 

--SEND 


ADoo++ : {lu : LUniv}{co ci c 2 : Choice}(F : Processoo 00 {lu} cq) 

(Q : Process+ 00 {lu} ci) 

(Z : Process+ 00 {lu} c 2 ) 

—y Refoo (((T* CH00-F+ Q ) CH00-F+ ^)) 

(fmapoo Assttlr ( P Doo++ ( Q □++ Z))) 
ADoo++ P Q Z l m (tnode tr ) = tnode (AD+pp (forcep P ) Q Z l m tr) 


An+oo+ : {lu : LUniv}{c 0 Ci c 2 : Choice}(F : Process+ 00 {lu} c 0 ) 

( Q : Processoo 00 {lu} ci) 

(Z : Process+ 00 {lu} c 2 ) 

—y Refoo (((P n+oo+ Q) Doo++ Z)) (fmapoo AssWr ( P D+oo+ ( Q noo++ Z))) 
An+oo+ P Q Z l m (tnode tr) = tnode (ADp+p P (forcep Q) Z l m tr) 

An++oo : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Process+ 00 {lu} c 0 ) 

( Q : Process+ 00 {lu} c\) 

(Z : Processoo 00 {lu} c 2 ) 

—> Refoo (((P □++ Q) D+oo+ Z)) (fmapoo AssWr ( P D+oo+ ( Q D+oo+ Z))) 
An++oo P Q Z l m (tnode tr) = tnode (ADpp+ P Q (forcep Z) l m tr) 


a 


o 
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AD+pp : {lu : LUniv}{c 0 C\ c 2 : Choice}(F : Process oo c 0 ) 

( Q : Process+ oo {lu} ci) 

( Z : Process+ oo {lu} c 2 ) 

-P Ref+ {((P Op++ Q) □++ Zj) (fmap+ Assi+ir ( P Dp++ (Q □++ Z))) 
AD+pp (terminate x) Q Z l m tr = AD-++ Q Z x l m tr 

AD+pp (node x) Q Z l m tr = AD+ x Q Z l in tr 

ADp+p : {lu : LUniv}{co c\ c 2 : Choice}(F : Process+ oo {lu} c 0 ) 

(Q : Process oo c\) 

(Z : Process+ oo {lu} c 2 ) 

—y Ref+ (((P D+p+ Q) DH—f- Z)) (fmap+ Asst+Jr ( P □-!—P (Q dpH—P Z ))) 
ADp+p P (terminate x) Z l m tr = AD+-+ P Z x l m tr 

ADp+p P (node x) Z l m tr = AD+ P x Z l m tr 

ADpp+ : {lu : LUniv}{co C\ c 2 : Choice}(F : Process+ oo {lu} c 0 ) 

( Q : Process+ oo {lu} ci) 

(Z : Process oo c 2 ) 

—y Ref+ ((( P CH—P Q) n+p+ Z)) (fmap+ Assl±)r ( P CH—P (Q d+p+ Z ))) 
A□ pp~P P Q (terminate x) l m tr = AD++- P Q m l x tr 
A□ pp~P P Q (node x) l m tr = AD+ P Q xl mtr 


AD++- : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} c{) 

—y (m : Maybe maybeExtC) 

—y ( l : List (Label lu)) 

—y ( x : ChoiceSet c 2 ) 

—y (tr : Tr+ l m (fmap+ AssWr (P □++ addTimed/ + (inj 2 x) (fmap+ inji Q) 
— y Tr+ l m (addTimed/ + (inj 2 x) (fmap+ inj x (P □++ Q ))) 

AD++- P Q .nothing .[] a; empty = empty 

AD++- P Q m .(Lab P x\ :: l) x (extc l .m (inji x\) x 2 ) = let 


x’ : 

x’ = x 2 

Troo l m (fmapoo As 

xi’: 

Troo l m (fmapoo 


o 


-o 
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x\ ’ = lemFmapoo inji Asstfclr (PE P xi) 

X2 ’: Troo l m (fmapoo inji (fma 

X2 ’ = lemFmapooR inji inji (PE Px i) l 

i n extc l m (inji x \) X2 ’ 


ADH—|— P Q m .(Lab Q y :: /) x (extc l .m (inj 2 y) X2) = let 

x’ : Troo l m (fmapoo AssWr (fmapoo inj 2 

x’ = X2 

x\ ’: Troo l m (fmapoo (Assl±)r o inj 2 ) (frr 
Xi ’ = lemFmapoo inj 2 Assttlr (fmapoo injx 

X2 ’: Troo l m (fmapoo (AssWr o inj 

X2 ’ = lemFmapoo inji (Assl+lr o inj 2 ) (PE 

X3 ’: Troo l m (fmapoo injx (fmapoc 

x 3 ’ = lemFmapooR inj 2 injx (PE Q y) l m 

in extc l m (inj 2 y) x 3 ’ 

AD++- P Q ml x (intc .1 .m (injx ^1) ^2) = intc l m (injx x^ (ADoo+- (PI P Xi) Q ml x x 2 ) 

AD++- P Q m l x (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y) (AD+oo- P (PI Q y) m l x x^) 

AD++- P Q .(just (injx (injx (PT P x 1)))) .[] x (terc (injx ^1)) = terc (inj 2 (injx a;i)) 

AD++- P Q .(just (inj 2 x)) .[] x (terc (inj 2 (injx xi))) = terc (injx x x ) 

AD++- P Q .(just (injx (inj 2 (PT Q y)))) .[] x (terc (inj 2 (inj 2 y))) = terc (inj 2 (inj 2 y)) 


AD-++ : {lu : LUniv}{co ex c 2 : Choice}(Q : Process+ 00 { lu } ex) 

(Z : Process+ 00 {lu} c 2 ) 

—y (x : ChoiceSet c 0 ) 

—y (l : List (Label lu)) 

—> (m : Maybe ((ChoiceSet c 0 l±) ChoiceSet C\) l±) ChoiceSet c 2 )) 

—> (tr : Tr+ l m (fmap+ AssWr (addTimed/ + (injx x) (fmap+ inj 2 ( Q □++ Z))))) 
—> Tr+ l m (addTimed/ + (injx x) (fmap+ inj 2 Q) □++ /) 

AD-++ Q Z x .[] .nothing empty = empty 

AD-++ Q Z x .(Lab Q x\ :: l) m (extc l .m (injx £1) x 2 ) = let 


x’: Troo l m (fmapoo Assttlr (fma 


a 


-o 
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x’ = X2 

X\ ’: Trcx) l m (fmapoo 

X\’ = lemFmapoo inj 2 Assl±)r (fi 

X2 ’: Troo l m (fmapoo (AssWr 
X2 ’ = lemFmapoo inj x (Assl+lr c 

0:3 ; : Troo l m (fmap 

X3 7 = lemFmapooR inj 2 inji (PI 

in extc l m (inji x \) £3’ 

AD-++ Q Z x .(Lab Z y :: l) m (extc l .m (inj 2 y) X2) = let 


x’ 

: Troo l m (fmapoo As 

x’ 

= x 2 


Xi 

’: Troo l 

m (fmapoo 

Xi 

’ = lemFmapoo 

inj 2 Assttlr (fi 

X 2 

’: Troo l 

m (fmapoo 

X 2 

’ = lemFmapoo 

inj 2 (Asst+lr c 


in extc l m (inj 2 y) x 2 ’ 

AD-++ Q Z x l m (intc .1 .m (inji ^1) £2) = intc l m (inji ^1) (AD-oo+ (PI Q X\) Z x l m x 2 

AD-++ Q Z x l m (intc .1 .m (inj 2 y) X2) = intc l m (inj 2 y) (AHH-+00 Q (PI Z 

AD-++ Q Z x .[] .(just (inji (inji x))) (terc (inji ^1)) = terc (inji (inji £1)) 

AD —I—F Q z X .[] .(just (inji (inj 2 (PT Q Xi)))) (terc (inj 2 (inji ^1))) = terc (inji (inj 2 x x )) 

AD-++ Q Z x .[] .(just (inj 2 (PT Z y))) (terc (inj 2 (inj 2 y))) = terc (inj 2 y) 


AD+-+ : {lu : LUniv}{co ci c 2 : Choice}(F : Process+ 00 { lu } cq) 

(Z : Process+ 00 {lu} c 2 ) 

—> (x : ChoiceSet ci) 

—> ( l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—}( tr : Tr+ l m (fmap+ Assl+lr (P □++ addTimed/ + (inji x) (fmap+ inj 2 
— y Tr+ l m (addTimed/ + (inj 2 x) (fmap+ inji P) n++ Z) 

AD+-+ P Z x .[] .nothing empty = empty 

AD+-+ P Z x .(Lab P x\ :: l) m (extc l .m (inji ^1) £2) = let 


o 


-o 
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x’: Trcx) l m (fmapoo Assttlr (fma 

x’ = X2 

x\ ’: Troo l m (fmapoo (Assttlr o 

x \ ; = lemFmapoo inji Assttlr (PE P x\) 

X2 ’: Troo l m (fmapoo inji (fma 

X2 ’ = lemFmapooR inji inji (PE P x i) l 

in extc l m (inji £1) a ; 2 ’ 

AD+-+ P Z x .(Lab Z y :: /) m (extc l .m (inj2 y ) X2) = let 

x ’: Troo l m (fmapoo Assttlr (fma 

X’ = Xf2 

x\ ’: Troo l m (fmapoo (AssWr o 

Xi ; = lemFmapoo inj 2 Asst+Jr (fmapoo ir 

X2 ’: Troo l m (fmapoo (AssWr o inj 2 o 
X2’ = lemFmapoo inj 2 (Assttlr o inj 2 ) (P 

in extc l m (inj 2 y) X2’ 

ADH—F P Z x l m (intc .1 .m (inji x i) ^2) = intc l m (inji xi) (AD 00 -+ (PI P x 1) Z x l m x 2 ) 

AD+-+ P Z x l m (intc .1 .m (inj 2 y) x 2 ) = intc l m (inj 2 y) (AD+-oo P (PI Z y) x l m 2^) 

AD+-+ P Z x .[] .(just (inji (inji (PT P x{)))) (terc (inji £1)) = terc (inji (inj 2 xi)) 

AD+-+ P Z x .[] .(just (inji (inj 2 x))) (terc (inj 2 (inji xi))) = terc (inji (inji xi)) 

AD+-+ P Z x .[] .(just (inj 2 (PT Z y))) (terc (inj 2 (inj 2 y))) = terc (inj 2 y) 


AD+oo- : {lu : LUniv}{co ci c 2 : Choice}(F : Process+ 00 { lu } c 0 ) 

( Q : Processoo 00 {lu} ci) 

—> (m : Maybe maybeExtC) 

—> ( l : List (Label lu)) 

—>• (x : ChoiceSet c 2 ) 

—> (X2 : Troo l m (fmapoo AssWr (P D+oo+ addTimed/00 (inj 2 x) (fmapoo inji ( Q ))) 
—> Troo l m (addTimed/00 (inj 2 x) (fmapoo inji (P n+oo+ Q ))) 

AD+oo- P Q ml x (tnode tr) = tnode (AD+p- P (forcep Q) m l x tr) 


a 
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AD-oo/ 


An-oo+ 

ADoo-/ 


ADoo-/ 
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An+-oo 
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: {lu : LUniv}{co C\ c 2 : Choice}(P : Processcx) oo { lu } Co) 

( Q : Process/ oo {lu} ci) 

—> (m : Maybe maybeExtC) 

—y ( l : List (Label lu)) 

-/ (x : ChoiceSet c 2 ) 

—> (x 2 : Troo l m (fmapoo AssWr ( P Doo++ addTimed/ + (inj 2 x) (fmap+ inji 
—)• Troo l m (addTimed/oo (inj 2 x) (fmapoo inji (P Doo++ Q ))) 

P Q ml x (tnode tr) = tnode (ADp+- (forcep P) Q m l x tr) 


: {lu : LUniv}{c 0 C\ c 2 : Choice}(Q : Processoo oo {lu} c\) 

(Z : Process/ oo {lu} c 2 ) 

—> (x : ChoiceSet c 0 ) 

—> ( l : List (Label lu)) 

—> (m : Maybe ((ChoiceSet Co W ChoiceSet ci) l±l ChoiceSet c 2 )) 

—>• ( x 2 : Troo l m (fmapoo AssWr (addTimed/oo (inji x) (fmapoo inj 2 ( Q Doo-f 
—>- Troo l m (addTimed/oo (inji (fmapoo inj 2 Q) noo++ /) 

Q Z x l m (tnode tr) = AD-p+ (forcep Q) Z x l m tr 

: {lu : LUniv}{co Ci c 2 : Choice}(P : Processoo oo {lu} Co) 

(/ : Process/ oo {lu} c 2 ) 

—)■ (x : ChoiceSet ci) 

—> ( l : List (Label lu)) 

—y (m : Maybe maybeExtC) 

—( x 2 : Troo l m (fmapoo Assl+lr ( P Doo// addTimed// (inji x) (fmap/ i 
-/ Troo l m (addTimed/oo (inj 2 x) (fmapoo inji (P)) Doo// Z) 

P Z x l m (tnode tr) = Amp-/ (forcep P) Z x l m tr 


: {lu : LUniv}{c 0 Ci c 2 : Choice}(P : Process/ oo {lu} Co) 

(/ : Processoo oo {lu} c 2 ) 

—> (x : ChoiceSet ci) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—> (x 2 : Troo l m (fmapoo AssWr (P D/oo/ addTimed/oo (inji x) (fmapoo inj 
-/ Troo l m (addTimed// (inj 2 x) (fmap/ inji P) n/oo/ /) 

P Z x l m (tnode tr) = AD/-p P (forcep Z) x l m tr 


o 


-o 
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AD-+00 : {lu : LUniv}{c 0 c\ c 2 : Choice}(Q : Process+ cx) { lu } c\) 

(Z : Processoo oo {lu} c 2 ) 

—> (x : ChoiceSet c 0 ) 

—> ( l : List (Label lu)) 

—)■ (m : Maybe maybeExtC) 

—>■ (x2 : Troo l m (fmapoo AssWr (addTimed/oo (inji x) (fmapoo inj 2 (Q d/ooZ Z )))) 
—>• Troo l m (addTimed/ + (inji x) (fmap+ inj 2 Q) D/oo/ Z ) 

An-+oo Q Z x l m (tnode tr) = tnode ( AD-+p Q (forcep Z) x l m tr) 


ADp+- : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process oo c 0 ) 

(Q : Process+ oo {lu} ci) 

—)• (m : Maybe maybeExtC) 

—> (l : List (Label lu)) 

—> (x : ChoiceSet c 2 ) 

—)■ ( Xq, : Tr+ l m (fmap+ AssWr (P Dp++ addTimed/ + (inj 2 x) (fmap+ injx Q)))) 
—>• Tr+ l m ((addTimed/ + (inj 2 x) (fmap+ injx (P Dp++ Q)))) 

ADp+- (terminate x) Q m l x\ x 2 = AD-+- Q x\ x l m x 2 
ADp+- (node x) Q m l xi x 2 = An++- x Q m l x± x 2 

AD+p- : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process/ oo {lu} c 0 ) 

(Q : Process oo C\) 

—> (m : Maybe maybeExtC) 

—>• (l : List (Label lu)) 

—> (x : ChoiceSet c 2 ) 

—>• (3^ : Tr+ l m (fmap+ AssWr (P D+p+ addTimed/ (inj 2 x) (fmap i nji Q)))) 

—>■ Tr+ l m ((addTimed/ + (inj 2 x) (fmap+ injx (P D+p+ Q)))) 

AD+p- P (terminate x) m l x 1 x 2 = ADH— P ml x 1 x (AD+— s P m l x x 1 x 2 ) 

AD+p- P (node x) m l x\ x 2 = AD++- P x m l x\ x 2 


AD+-p : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process/ 00 {lu} c 0 ) 

(Z : Process 00 c 2 ) 

—> (x : ChoiceSet c\) 

—)■ ( l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—> ( x 2 : Tr/ l m (fmap/ AssWr (P D/p/ addTimed/ (injx x) (fmap inj 2 /)))) 
—>• Tr l m (node (addTimed// (inj 2 x) (fmap/ injx P) D/p/ Z)) 

AD/-p P (terminate x) x\ l m x 2 = tnode (AD-I — P m l x x 1 x 2 ) -- 


a 


o 
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Ad/-p P (node x) x\ l m X2 = tnode (Ad/-/ P x x i l m x 2 ) 


AD-+p : {lu : LUniv}{c 0 C\ c 2 : Choice}(Q : Process/ oo {lu } ci) 

(Z : Process oo c 2 ) 

-/ (x : ChoiceSet c 0 ) 

—>• (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—>• (tr : Tr+ l m ((fmap+ Asstfclr (addTimed/ + (injx x) (fmap+ inj 2 (Q D+f 
—> Tr+ l m ((addTimed/ + (inji x) (fmap+ inj 2 Q) Q+p+ /)) 

AD-+p Q (terminate x) x\ l m tr = AD-+- Q x x\ l m tr -- 
AHH-+P Q (node x) x\ l m tr — AD-++ Q x x\ l m tr 

ADp-+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process oo c 0 ) 

(/ : Process/ oo {lu} c 2 ) 

—> (x : ChoiceSet ci) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

-/ (x 2 : Tr+ l m (fmap+ AssWr ( P Dp++ addTimed/ + (injx x) (fmap+ inj 2 Z 
—> Tr l m ( node (addTimed/ (inj 2 x) (fmap inji P) Dp++ Z)) 

ADp-+ (terminate x) Z x\ l m x 2 = AD~+ S Z x x i l m x 2 -- 
ADp-+ (node x) Z x\ l m x 2 = tnode (AD+-+ x Z x i l m x 2 ) 


AD-p+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(Q : Process oo C\) 

(Z : Process/ oo {lu} c 2 ) 

-/ (x : ChoiceSet c 0 ) 

—>■ (l : List (Label lu)) 

-/ (m : Maybe ((ChoiceSet c 0 W ChoiceSet ci) l±J ChoiceSet c 2 )) 

—)• (tr : Tr/ l m (fmap/ AssWr (addTimed// (inji x) (fmap/ inj 2 (Q dp// . 
—)■ Tr l m (node (addTimed/ (inji x) (fmap inj 2 Q) dp// Z)) 

Ad-p/ (terminate q) Z x l m tr = tnode (Ad—/ Z q x l m tr) -- 
Ad-p/ (node q) Z x l m tr = tnode (Ad-// q Z x l m tr) 


Ad-oo- : {lu : LUniv}{c 0 ci c 2 : Choice}(Q : Processoo oo {lu} ci) 
—> (m : Maybe maybeExtC) 

—> (l : List (Label lu)) 

—y (x : ChoiceSet c 0 ) 


a 


-o 
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—¥ (xi : ChoiceSet c 2 ) 

—>• ( x 3 : Troo l m (fmapoo AssWr (addTimed/oo (inji x) (fmapoo inj 2 (addTimed/oo (i 
—>• Troo l m (addTimed/oo (inj 2 x^) (fmapoo inj! (addTimed/oo (inj! x) (fmapoo inj 2 ( 
Alll-oo- Q ml x x i tv = AD-p- (forcep Q) x\ x l m tr — 

ADoo— : {lu : LUniv}{co c\ c 2 : Choice}(P : Processoo oo {lu} Co) 

—>• (m : Maybe maybeExtC) 

—y (l : List (Label lu)) 

—> (x : ChoiceSet ci) 

—y (xi : ChoiceSet c 2 ) 

-> ( X 3 : Troo l m (fmapoo AssWr (P Doo-(— I- fmap-l- unifyAt+JA (2-/ + (inji x\) (inj 2 ; 
—y Troo l m (addTimed/oo (inj 2 x) (fmapoo inji (addTimed/oo (inj 2 xi) (fmapoo inji ( 
ADoo— P m l x x i tr = ADp— (forcep P) x\ x l m tr 


ADoo— s : {lu : LUniv}{c 0 c\ c 2 : Choice}(F : Processoo oo {lu} c 0 ) 

—>• (m : Maybe maybeExtC) 

—y ( l : List (Label lu)) 

—>• (x : ChoiceSet ci) 

—>• (xi : ChoiceSet c 2 ) 

—> (a ; 3 : Troo l m (fmapoo AssWr ( P Doo+- 1 - fmap-l- unifyAttlA ( 2 -/ + (inj 2 x\) (inji a;))' 
— > Troo l m (fmapoo AssWr (P Doo++ fmap+ unifyAl+lA ( 2 -/ + (inji x) (inj 2 xi)))) 
ADoo— s P m l x x i tr = ADp— s (forcep P) x\ x l mtr-- 


AD—oo s : {lu : LUniv}{c 0 ci c 2 : Choice}(/ : Processoo oo {lu} c 2 ) 

—y (x'i : ChoiceSet ci) 

—> ( x : ChoiceSet c 0 ) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—>■ (x3 : Troo l m (fmapoo AssWr (addTimed/oo (inji x) (fmapoo inj 2 (addTimed/oo (i 
-> Troo l m (fmap+ unifyAttlA ( 2 -/ + (inj 2 x\) (inji x)) D+oo+ Z) 

AD —oo s Z q x l m tr = AD—p s (forcep Z) x q l m tr 


AD—oo : {lu : LUniv}{c 0 ci c 2 : Choice}(/ : Processoo oo {lu} c 2 ) 
—> (q : ChoiceSet Ci) 

—> (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 


a 


o 
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—> (x 2 : Troo l m (fmapoo AssWr (addTimed/oo (inji x ) (fmapoo inj 2 (addTime 
—» Troo l m (fmap+ unifyAttlA (2-/ + (inji x) (inj 2 q)) n+oo+ Z) 

AD—oo Z q x l m tr = AD—p (forcep Z) x q l m tr 


AD—p : {lu : LUniv}{co C\ c 2 : Choice}(Z : Process oo c 2 ) 

—v (x : ChoiceSet c 0 ) 

—>• (q : ChoiceSet Ci) 

—y (l : List (Label lu)) 

—» (m : Maybe ((ChoiceSet Co l±l ChoiceSet ci) l±) ChoiceSet c 2 )) 

—> (x2 : Tr l m (fmap Assttlr (addTimed/ (inji a;) (fmap inj 2 (addTimed/ (inji Q 

—» Tr l m (node (fmap+ unifyAl±)A (2-/ + (inji x) (inj 2 q)) D+p+ Z)) 

An—p (terminate x) X\ q .[] .nothing (tnode empty) = tnode empty 

AD—p (terminate x) x\ q .(Lab (2-/ + (inji q) (inj 2 x)) _ : l\) rn (tnode (extc 4 .m 0 tr)) 

AD—p (terminate x) x\ q l m (tnode (intc .1 .m 0 tr)) 

AD—p (terminate x) x\ q .[] .(just (inji (inji ^i))) (tnode (terc (inji zer0 ))) = tnode (terc (inj 

AD—p (terminate x) X\ q .[] .(just (inji (inji ^i))) (tnode (terc (inji (sue ())))) 

AD—p (terminate x) X\ q .[] .(just (inji (inj 2 q))) (tnode (terc (inj 2 zero))) = tnode (terc (inj 2 

AD—p (terminate x) x\ q .[] .(just (inj 2 x)) (tnode (terc (inj 2 (sue zero)))) = tnode (terc (inji 

AD—p (terminate x) x\ q .[] .(just (Assttlr (inj 2 (unifyAl±)A (PT (2-/ + (inji q) (inj 2 a;)) (sue (: 

AD—p (node x) X\ q l m (tnode tr) = tnode (AD— + x qx\ l m tr) 

AD—p s : {lu : LUniv}{c 0 Ci c 2 : Choice}(Z : Process oo c 2 ) 

—>• (x : ChoiceSet c 0 ) 

—>■ (q : ChoiceSet Ci) 

—> (l : List (Label lu)) 

—>■ (m : Maybe ((ChoiceSet c 0 W ChoiceSet ci) l±l ChoiceSet c 2 )) 

—>• ( x 2 : Tr l m (fmap Assttlr (addTimed/ (inji x) (fmap inj 2 (addTimed/ (in 
— y Tr l m (node (fmap+ unifyAttlA (2-/ + (inj 2 q) (inji x)) D+p+ Z)) 

AD—p s (terminate x) x\ q .[] .nothing (tnode empty) = tnode empty 

AD—p s (terminate x) x\ q .(Lab (2-/ + (inji q) (inj 2 x)) _ : 4) m (tnode (extc 4 -fn 0 tr)) 

AD—p s (terminate x) X\ ql m (tnode (intc .1 .m 0 tr)) 

An—Ps (terminate x) x\ q .[] .(just (inji (inji ^i))) (tnode (terc (inji zer0 ))) = tnode (terc (in 

AD—ps (terminate x) x\ q .[] .(just (inji (inji £i))) (tnode (terc (inji (sue ())))) 

AD—p s (terminate x) x\ q .[] .(just (inji (inj 2 g))) (tnode (terc (inj 2 zero))) = tnode (terc (inj 

AD—ps (terminate x) x\ q .[] .(just (inj 2 x)) (tnode (terc (inj 2 (sue zero)))) = tnode (terc (inj 

AD—p s (terminate x) x 1 q .[] .(just (Assttlr (inj 2 (unifyAttlA (PT (2-/ + (inji q) 

(inj 2 x)) (sue (sue _))))))) (tnode (terc (inj 2 (si 
AD—p s (node x) x\ q l m (tnode tr) = AD—+ s x x± q l m tr 


a 


-o 
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ADp— : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process oo c 0 ) 

—>■ (ay : ChoiceSet c 2 ) 

—)■ (x : ChoiceSet ci) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—t (x 3 : Tr l m (node (fmap+ AssWr (P Dp++ fmap+ unifyAttlA (2-/ + (inji ay) (inj 2 x 
—> Tr l m (addTimed/ (inj 2 x) (fmap inji (addTimed/ (inj 2 ay) (fmap injx (P))))) 
ADp— (terminate x) ay x 2 .[] .nothing (tnode empty) = tnode empty 

ADp— (terminate x) ay x 2 .(Lab (2-/ + (inji ay) (inj 2 x 2 )) _ :: 4) m (tnode (extc 4 .m () tr)) 

ADp— (terminate x) x\ x 2 l m (tnode (intc .1 .m 0 tr)) 

ADp— (terminate x) x\ x 2 .[] .(just (inji (inji %))) (tnode (terc (inji zero))) = tnode (terc (inj 2 I 

ADp— (terminate x) X\ x 2 .[] .(just (injx (injx a;))) (tnode (terc (inji ( suc ())))) 

ADp— (terminate x) X\ x 2 .[] .(just (inji (i nj 2 ^i))) (tnode (terc (inj 2 zero))) = tnode (terc (inj 2 zero)) 

ADp— (terminate x) x\ x 2 .[] .(just (inj 2 x 2 )) (tnode (terc (inj 2 (suc zero)))) = tnode (terc (inji zero)) 

ADp— (terminate x) x\ x 2 .[] .(just (AssWr (inj 2 (unifyAttlA (PT (2-/ + (inji %i) (inj 2 £2)) (sue (suc _) 

(tnode (terc (inj 2 (suc 

ADp— (node x) X\ x 2 l m (tnode tr) = tnode (ADH — x ml x 2 x \ tr) 

ADp— s : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Process 00 c 0 ) 

—>■ (xi : ChoiceSet c 2 ) 

—> (x : ChoiceSet ci) 

—>• (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—> (X3 : Tr l m (node (fmap+ AssWr (P Dp++ fmap+ unifyAttlA (2-/ + (inj 2 x\) (inji % 
—> Tr l m (node (fmap+ Assl+lr (P Op++ fmap+ unifyAttlA (2-/ + (inji x) (inj 2 a;i))))) 
ADp — s (terminate x) x\ x 2 .[] .nothing (tnode empty) = tnode empty 

ADp— s (terminate x) Xi x 2 .(Lab (2-/ + (inj 2 ^x) (inji x 2 )) _ : 4) m (tnode (extc 4 .m 0 tr)) 

ADp — s (terminate x) xi x 2 l m (tnode (intc .1 .m 0 tr )) 

ADp— s (terminate x) x\ x 2 .[] .(just (inji (inji %))) (tnode (terc (inji zer0 ))) = tnode (terc (inji zero)) 

ADp— s (terminate x) x\ x 2 .[] .(just (inji (inji x))) (tnode (terc (inji (sue ())))) 

ADp — s (terminate x) x\ x 2 .[] .(just (inj 2 xi)) (tnode (terc (inj 2 zero))) = tnode (terc (inj 2 (suc zero)) 

ADp — s (terminate x) x\ x 2 .[] .(just (inji (inj 2 a^))) (tnode (terc (inj 2 (suc zero)))) = tnode (terc (inj 2 

ADp— s (terminate x) x\ x 2 .[] .(just (Assttlr (inj 2 (unifyAttlA (PT (2-/ + (inj 2 a;i) (inji x 2 )) (suc (suc _ 

(tnode (terc (inj 2 (suc 

ADp— s (node x) x\ x 2 l m (tnode tr) = tnode (AD +— s x m l x 2 x\ tr) 

AD-p- : {lu : LUniv}{c 0 Ci c 2 : Choice}(Q : Process 00 ci) 

—>■ (a;i : ChoiceSet c 0 ) 


a 


o 
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o 


■o 


AD-p- 

AD-p- 

AD-p- 

AD-p- 

AD-p- 

AD-p- 

AD-p- 

AD-p- 

AD-p- 


—> (x : ChoiceSet c 2 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

-> ( x 3 : Tr l m (fmap Assttlr (addTimed/ (inji x ) (fmap inj 2 (addTimed/ (in 
—t Tr l m (addTimed/ (inj 2 xi) (fmap inji (addTimed/ (inji x) (fmap inj 2 ( Q ) 
(terminate x ) x\ x 2 .[] .nothing (tnode empty) = tnode empty 

(terminate x) xi x 2 .(Lab (2-/ + (inj 2 x 3 ) (inji x)) _ : 4) m (tnode (extc l-y .m 0 tr)) 
(terminate x) X\ x 2 l m (tnode (into .1 .m 0 tr)) 

(terminate x) X\ x 2 .[] .(just (injx (inji ^2))) (tnode (terc (inji zer0 ))) = tnode (terc (in 

(terminate x) x\ x 2 .[] .(just (inji (inji x 2 ))) (tnode (terc (inji (sue ())))) 

(terminate x) x\ x 2 .[] .(just (inj 2 xi)) (tnode (terc (inj 2 zero))) = tnode (terc (inji zer< 

(terminate x) x\ x 2 .[] .(just (inji ( inj 2 x))) (tnode (terc (inj 2 (sue zero)))) = tnode (te 

(terminate x) Xi x 2 .[] .(just (Assttlr (inj 2 (unifyAttlA (PT (2-/ + (inj 2 xi) (inji x)) (sue 

(tnode (ter 

(node x) x\ x 2 l m (tnode x%) = tnode (AD-+- x x\ x 2 l m x%) 


AD-+- : {lu : LUniv}{c 0 ci c 2 : Choice}(Q : Process/ 00 {lu} ci) 

-/ (xi : ChoiceSet c 0 ) 

—y (x : ChoiceSet c 2 ) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

( x 2 : Tr+ l m (fmap+ Assl±)r (addTimed/ + (inji x) (fmap+ inj 2 (addTim' 
—> Tr+ l m (addTimed/ + (inj 2 xi) (fmap+ inji (addTimed/ + (inji x) (fmap+ 
AD-+- Q x 1 x .[] .nothing empty = empty 
AD-+- Q X\ x .(Lab Q x 2 :: l) m (extc l .m x 2 X3) = let 

x’: Troo l m (fmapoo AssWr (fmap 

x’ = x 3 

X\ ’: Troo l m (fmapoo (Assttl 

X\ ’ = lemFmapoo inj 2 AssWr (fmapoo 

x 2 ’: Troo l m (fmapoo (Assttl 

x 2 ’ = lemFmapoo inji ( Asst+Jr o inj 2 ) ( 

x 3 ’: Troo l m (fmapoo inji (fmapoo ii 
x 3 ’ = lemFmapooR inj 2 inji (PE Q x 2 ] 

in extc l m x 2 x 3 ’ 

AD-+- Q Xi x l m (intc .1 .m Xo, x 3 ) = intc l m x 2 (AD-oo- (PI Q x 2 ) m l x X\ x 3 ) 

AD-+- Q x! x .[] .(just (inji (inji x))) (terc (inji x 2 )) = terc (inj 2 (inji x 2 )) 


o 


-o 
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AD-+- Q xi x .[] .(just (inj 2 xi)) (terc (inj 2 (inji zero))) = terc (inji zero) 

AD-+- Q xi x .[] .(just (inj 2 xi)) (terc (inj 2 (inji (sue ())))) 

AD-+- Q x ii .[] .(just (inj x (inj 2 (PT Q y)))) (terc (inj 2 (inj 2 y))) = terc (inj 2 (inj 2 y)) 


AD+- : {lu : LUniv}{c 0 Ci c 2 : Choice}(P : Process+ oo { lu } c 0 ) 

—t (m : Maybe maybeExtC) 

—t (l : List (Label lu)) 

-> (x : ChoiceSet ci) 

-> (xi : ChoiceSet c 2 ) 

—t (x 2 : Tr+ l m (fmap+ Assttlr ( P □++ fmap+ unifyAttlA (2-/ + (inji x\ ) (inj 2 x))))) 
—> Tr+ l m ((addTimed/ + (inj 2 x) (fmap+ inji (addTimed/ + (inj 2 xi) (fmap+ inji P) 
AD+- P .nothing .[] x Xi empty = empty 
AD+- P m .(Lab P x 2 :: /) x x\ (extc l .m (inji x 2 ) tr) = let 

x ’: Troo l m (fmapoo AssWr (fm 

x’ = tr 

Xi ’: Troo l m (fmapoo (Asst 

xi ’ = lemFmapoo inji Asst+Jr (PE 

x 2 ’: Troo l m (fmapoo inji (fm; 
a> 2 ’ = lemFmapooR inji inji (PE 

in extc l m x 2 x 2 ’ 

AD+- P m .(Lab (2-/ + (inji %i) (inj 2 x)) _ :: 4) x X\ (extc 4 .m (inj 2 ()) tr) 

AD+- P ml x x i (intc .1 .m (inji x 2 ) tr) = intc l m x 2 (ACloo— (PI P x 2 ) m l x x± tr) 

Am+— P ml x x i (intc .1 .m (inj 2 ()) tr) 

ADH — P .(just (inji (inji (PT P a^)))) .[] x x x (terc (inji ^)) = terc (inj 2 (inj 2 x 2 )) 

ADH— P .(just (inji (inj 2 xi))) .[] x Xi (terc (inj 2 zero)) = terc (inj 2 (inji zero)) 

AD+- P .(just (inj 2 a;)) .[] x x\ (terc (inj 2 (sue zero))) = terc (inji zero) 

ADH— P .(just (AssWr (inj 2 (unifyAttlA (PT (2-/ + (inji £i) (inj 2 x)) (sue (sue -))))))) .[] x x\ (terc ( 


Am+— s : {lu : LUniv}{c 0 ci c 2 : Choice}(F : Process+ oo {lu} c 0 ) 

—t (m : Maybe maybeExtC) 

—t (l : List (Label lu)) 

—t (x : ChoiceSet ci) 

—t (xi : ChoiceSet c 2 ) 

—> (x 2 : Tr+ l m (fmap+ AssWr (P □++ fmap+ unifyAttlA (2-/ + (inj 2 x\ ) (inji x))))) 


CF 


O 
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—t Tr+ l m (fmap+ Assttlr (P □++ fmap+ unifyAttlA (2-/ + (inji x) (inj 2 ^i))) 
ADH — 3 P .nothing .[] x X\ empty = empty 
ADH — s P m .(Lab P :: l) x x\ (extc l .m (inji x 2 ) tr) = let 

x ’: Troo l m (fmapoo A 
x’ = tr 

Xi ’: Troo l m (fmapoo ( 
X\ ’ = lemFmapoo inj] 

x 2 ’: Troo l m (fmapoo / 
x 2 ’ = lemFmapooR inji / 

in extc l m (inji ^2 

ADH — s P m .(Lab (2-/ + (inj 2 Xi) (inji %)) - k) x x i (extc 4 .m (inj 2 ()) tr) 

ADH — s P m l x x i (intc .1 .m (inji £2) tr) = intc l m (inji x 2 ) (AlHoo— s (PI P x 2 ) m l x X\ tr 
ACM — s P ml x x 1 (intc .1 .m (inj 2 ()) tr) 

A CM— , s P .(just (inji (inji (PT P x 2 )))) .[] x xi (terc (inji 0C2)) = terc (inji x i) 

AD+- s P .(just (inj 2 xi)) .[] x X\ (terc (inj 2 zero)) = terc (inj 2 (sue zero)) 

AD+- s P .(just (inji (inj 2 x))) .[] x Xi (terc (inj 2 (sue zero))) = terc (inj 2 zero) 

ADH— s P .(just (Assl±)r (inj 2 (unifyAttlA (PT (2-/ + (inj 2 xi) (inji x )) (sue (sue _))))))) .[] x 

AD—+ : {lu : LUniv}{c 0 ci c 2 : Choice}(Z : Process+ 00 { lu } c 2 ) 

—> (q : ChoiceSet ci) 

—y (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—t (m : Maybe ((ChoiceSet Co ttl ChoiceSet ci) l±) ChoiceSet c 2 )) 

—t (tr : Tr+ l m (fmap+ AssWr (addTimed/ + (inji x ) (fmap+ inj 2 (addTimed^ 
—> Tr+ l m (fmap+ unifyAttlA (2-/ + (inji x ) (inj 2 q)) □++ Z) 

AD—+ Z q x .[] .nothing empty = empty 

AD—+ Z q x .(Lab Z x\ :: l) m (extc l .m x\ x 2 ) = let 

x ’: Troo l m (fmapoo Assttlr (fmapoo ir 
x’ = x 2 

X\ ’: Troo l m (fmapoo (Assttlr o inj 2 ) (■ 
x\’ = lemFmapoo inj 2 Assttlr (fmapoo in 

x 2 ’: Troo l m (fmapoo (Assttlr o inj 2 o 
x-2 ’ = lemFmapoo inj 2 (Assttlr o inj 2 ) 

in extc l m (inj 2 a;i) x 2 ’ 


<y 


-o 
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AD— + Z q x l m (intc .1 .m X\ x 2 ) = intc l m (inj 2 X\) (AD— 00 (PI Z Xi) qxl m x 2 ) 

An— + Z q x .\\ .(just (inji (inji x))) (terc (inji zero)) = terc (inji zero) 

An— b Z q x .[] .(just (inji (inji %))) (terc (inji (sue ()))) 

An— + Z q x ,\\ .(just (inji (inj 2 q))) (terc (inj 2 (inji zero))) = terc (inji (sue zero)) 

AD-+ Z qx .[] .(just (inji (inj 2 <?))) (terc (inj 2 (inji (sue ())))) 

AD—F Z qx .[] .(just (inj 2 (PT Z y ))) (terc (inj 2 (inj 2 y))) = terc (inj 2 y) 

AD—+ s : { lu : LUniv}{co ci c 2 : Choice}(Z : Process+ 00 {lu } c 2 ) 

—> ( x : ChoiceSet c 0 ) 

-» (xi : ChoiceSet ci) 

—>• ( l : List (Label lu)) 

—> (m : Maybe ((ChoiceSet c 0 W ChoiceSet ci) l±l ChoiceSet c 2 )) 

—)• ( a>2 : Tr+ l m (fmap+ AssWr (addTimed/ + (inji x) (fmap+ inj 2 (addTimed/ + (i 

— Tr l m (node (fmap+ unifyAWA (2-/ + (inj 2 ^i) (inji %)) n++ Z)) 

An-+ S Z xx 1 .[] .nothing empty = tnode empty 
An— + s Z x x 1 .(Lab Z x 2 :: l) m (extc l .m x 2 X3) = let 

x’ : Troo l m (fmapoo AssWr (fmapoo inj 2 (fr 

x’ = X3 

x\ ’: Troo l m (fmapoo (Assl±)r o inj 2 ) (fmape 
X\ ’ = lemFmapoo inj 2 AssWr (fmapoo inj 2 (PI 

x 2 ’: Troo l m (fmapoo (Assl±)r o inj 2 o inj 2 ) ( 
x 2 ’ = lemFmapoo inj 2 (AssWr o inj 2 ) (PE Z x 

in tnode (extc l m (inj 2 x 2 ) x 2 ’) 

An— + s Z x x 1 l m (intc .1 .m x 2 x%) = tnode (intc l m (inj 2 x 2 ) (An— oo s (PI Z x 2 ) X\ x l m X3)) 

An— + s Z xx 1 .[] .(just (inji (inji %))) (terc (inji zero)) = tnode (terc (inji (sue zero))) 

An-+ S Z xx 1 .[] .(just (inji (inji x))) (terc (inji (sue ()))) 

An— F s Z xx 1 .[] .(just (inji (inj 2 x^)) (terc (inj 2 (inji zero))) = tnode (terc (inji zero)) 

An—F s Z xx 1 .[] .(just (inji (inj 2 Xi))) (terc (inj 2 (inji (sue ())))) 

An-+ S Z xx 1 .[] .(just (inj 2 (PT Z y))) (terc (inj 2 (inj 2 y))) = tnode (terc (inj 2 y)) 


mutual 

An+r : {lu : LUniv}{c 0 ci c 2 : Choice} (P : Process+ 00 {lu} c 0 ) (Q : Process+ 00 {lu} Ci) (Z : Pi 
fmap+ AssWr (P n++ (Q n++ z )) n+ ((p n++ Q) n++ Z) 

An+r P Q Z .[] .nothing empty = empty 


O 


o 
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AD+r P Q Z .(Lab P x :: l) m (extc l .m (inji (inji a;)) x\) = let 

x’ : Troo l m (fmapoo inji (fmapoo i 

X’ = X\ 

x\ ’: Troo l m (fmapoo (As 

X\ ’ = lemFmapoo inji inji (PE P x) 

X2 ’ : Troo l m (PE (fmap+ 

X2 ’ = lemFmapooR inji AssWr (PE F 

in extc l m (inji x) X2 ’ 

AD+r P Q Z .(Lab Q y :: /) m (extc l .m (inji (inj 2 y )) ^i) = let 

x’ : Troo l m (fmapoo inji (fmapoo i 

x’ = X\ 

X\ ’: Troo l m (fmapoo (As 

Xi 1 = lemFmapoo inj 2 inji (PE Q y ) 

X2 ’' Troo l m (fmapoo (As 

X2 ’ = lemFmapooR inji (Assl±)r o inj 2 

0:3 ’: Troo l m (fmapoo Ass 

lemFmapooR inj 2 Assttlr (fmap 

in extc l m (inj 2 (inji y )) X 

AD+r P Q Z .(Lab Z y :: /) m (extc l .m (inj 2 y) X\) = let 

x’ : Troo l m (fmapoo inj 2 

x’ = X\ 

X2 ’: Troo l m (fmapoo (AssWr o i 
x 2 ’ = lemFmapooR inj 2 (Assl±)r o 
x 3 ’: Troo l m (fmapoo AssWr (fm 
X3 ’ = lemFmapooR inj 2 AssWr (frr 
in extc l m (inj 2 (inj 2 y)) X3’ 

AD+r P Q Z l m (intc .1 .m (inji (inji x)) x±) = intc l m (inji x) (ADoo++r (PI P x) Q Z l \ 

AD+r P Q Z l m (intc .1 .m (inji (inj 2 y)) x\) = intc l m (inj 2 (inji y)) (AD+oo+r P (PI Q 1 

AD+r P Q Z l m (intc .1 .m (inj 2 y) x\) = intc l m (inj 2 (inj 2 y)) (AD++oor P Q (PI Z y) l 


a 


-o 
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AD+r P Q Z .[] .(just (inji (inji (PT P x)))) (terc (inji (inji a;))) = terc (inji x) 

AD+r P Q Z .[] .(just (injx (inj 2 (PT Q y)))) (terc (inji (inj 2 y))) = terc (inj 2 (inji y)) 

AD+r P Q Z .[] .(just (inj 2 (PT Z y))) (terc (inj 2 y)) = terc (inj 2 (inj 2 y)) 


ADoo++r : {lu : LUniv}{co ex c 2 : Choice}(F : Processoo oo { lu } cq) 

(Q : Process+ oo {lu} ex) 

(Z : Process+ oo {lu} c 2 ) 

— y Refoo (fmapoo AssWr ( P D00++ (Q □++ Z))) (((P D00++ Q) D00++ Z)) 
ADoo++r P Q Z l m (tnode tr) = tnode (AD+ppr (forcep P) Q Z l m tr) 


Am+oo+r : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

(Q : Processoo oo {lu} ex) 

(Z : Process+ oo {lu} c 2 ) 

—> Refoo (fmapoo Assl±lr ( P D+oo+ (Q Doo+d- Z))) (((F n+oo+ Q) Doo++ Z)) 
AD+oo+r P Q Z l m (tnode tr) = tnode (ADp+pr P (forcep Q) Z l m tr) 


AD++oor : {lu : LUniv}{co ex c 2 : Choice}(F : Process+ oo {lu} cq) 

(Q : Process+ oo {lu} ex) 

(Z : Processoo oo {lu} c 2 ) 

—> Refoo (fmapoo Assl±lr ( P D+oo+ (Q n+oo+ Z))) (((P □++ Q) D+oo+ Z)) 
AD++oor P Q Z l m (tnode tr) = tnode (ADpp+r P Q (forcep Z) l m tr) 


AD+ppr : {lu : LUniv}{c 0 C\ c 2 : Choice}(F : Process oo c 0 ) 

(Q : Process+ oo {lu} cx) 

(Z : Process+ oo {lu} c 2 ) 

—> Ref+ (fmap+ AssWr ( P DpH—I- {Q DH—I- Z))) (((F DpH—I- Q) CH—h Z)) 
AD+ppr (terminate x) Q Z l m tr = AD-++r Q Z x l m tr 
AD+ppr (node x) Q Z l m tr = AD+r x Q Z l m tr 

ADp+pr : {lu : LUniv}{c 0 cx c 2 : Choice}(F : Process+ oo {lu} Co) 

(Q : Process oo cx) 

(Z : Process+ oo {lu} c 2 ) 

-+ Ref+ (fmap+ AssWr ( F D++ (Q Dp++ Z))) (((F D+p+ Q) D++ Z)) 
ADp+pr F (terminate x) Z l m tr = AD+-+r P Z x l m tr 
ADp+pr F (node x) Z l m tr = AD+r P x Z l m tr 


a 


-o 
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ADpp+r : {lu : LUniv}{c 0 c x c 2 : Choice}(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} c x ) 

(Z : Process oo C2) 

-»■ Ref+ (fmap+ AssWr ( P □++ (Q D+p+ Z))) (((P □++ Q) D+p+ Z)) 
ADpp+r P Q (terminate x) l m tr = AD++-r P Q ml x tr 
ADpp+r P Q (node x) l m tr = AD+r P Q x l m tr 


AD++-r : {lu : LUniv}{co C\ c 2 : Choice}(P : Process+ 00 {lu} c 0 ) 

(Q : Process+ 00 {lu} ci) 

—> (m : Maybe maybeExtC) 

—y (l : List (Label lu)) 

—> ( x : ChoiceSet c 2 ) 

—> (tr : Tr+ l m (addTimed/ + (inj 2 x) (fmap+ inji (P □++ Q)))) 

Tr+ l m (fmap+ AssWr (P □++ addTimed/ + (inj 2 x) (fmap+ inji Q))) 
AD++-r P Q .nothing .[] x empty = empty 
AD++-r P Q m .(Lab P X\ :: l) x (extc l .m (inj x x±) x 2 ) = let 

x’ : Troo l m (fmapoo in 

x’ = x 2 

x’3 : Troo l m (fmapoo ( 
i’ 3 = lemFmapoo inj x inj 

x\ ’: Troo l m (fmapoo ( 
x\ ’ = lemFmapoo inj x 

x 2 ’ \ Troo l m (fmapoo t 
x 2 ’ = lemFmapooR inj x / 

in extc l m (inj x a; x ) x 2 ’ 


AD++-r P Q m .(Lab Q y :: /) x (extc l .m (inj 2 y) x 2 ) = let 

x ’: Troo l m (fmapoo inj x (fmapoo i 

x’ = x 2 

Xi ’: Troo l m (fmapoo (AssWr o inj 2 
Xi 1 = lemFmapoo inj 2 inj x (PE Q y) 


a 


-o 
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x 2 ’: Troo l m (fmapoo (Assl±)r o inj 

X2 ’ = lemFmapooR i nj x (AssWr o inj 2 ) (PE Q 

Xi ■■ Troo l m (fmapoo Asstblr (fmapoo inj 2 (f 
x 3 ’= lemFmapooR inj 2 AssWr (fmapoo inji (I 

in extc l m (inj 2 y) x 3 ’ 

AD++-r P Q ml x (into .1 .m (inji x±) x 2 ) = into l m (inji ^i) (ADoo+-r (PI P x i) Q m l x X2) 

AD++-r P Q m l x (into .1 .m (inj 2 y) xq) = into l m (inj 2 y) (AD+oo-r P (PI Q y) m l x x^) 

AD++-r P Q .(just (inj 2 x)) .[] x (terc (inji zero)) = terc (inj 2 (inji zero)) 

AD++-r P Q .(just (inj 2 x)) .[] x (terc (inji (sue ()))) 

AD++-r P Q .(just (inji (inji (PT P xi)))) .[] x (terc (inj 2 (inji £1))) = terc (inji £1) 

AD++-r P Q .(just (inji (inj 2 (PT Q y)))) .[] x (terc (inj 2 (inj 2 y))) = terc (inj 2 (inj 2 y)) 


AD-++r : {lu : LUniv}{co ci c 2 : Choice}(<5 : Process+ 00 { lu } ci) 

(Z : Process+ 00 {lu} c 2 ) 

—> (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—> (m : Maybe ((ChoiceSet Co l±) ChoiceSet ci) W ChoiceSet c 2 )) 

—v (tr : Tr+ l m (addTimed/ + (inji x) (fmap+ inj 2 Q) □++ Z)) 

—> Tr+ l m (fmap+ AssWr (addTimed/ + (inji x) (fmap+ inj 2 (Q □++ Z)))) 

AD-++r Q Z x .[] .nothing empty = empty 

AD-++r Q Z x .(Lab Q X\ :: I) rri (extc l .m (inji ^1) a^) = (let 

x’ : Troo l m (fmapoo inji 

x' = x 2 


X\ ’: Troo l m (fmapoo (As 
Xi ’ = lemFmapoo inj 2 inji ( 

x 2 ’: Troo l m (fmapoo (As 
x 2 ’= lemFmapooR inji (As 

x 3 ’: Troo l m (fmapoo Ass 
x 3 ’= lemFmapooR inj 2 Ass 


in extc l m (inji %i) x 3 ’) 


AD-++r Q Z x .(Lab Z y :: l) m (extc l .m (inj 2 y) x 2 ) = 



Troo l m (fmapoo inj 2 (PE Z 1 

X2 


a 


-o 
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x 2 ’ : Troo l m (fmapoo (AssWr o i 
x 2 ’ = lemFmapooR inj 2 (Assl±)r o 
x 3 ’ : Troo l m (fmapoo AssWr (fm 
x 3 ’ = lemFmapooR inj 2 AssWr (frr 
in extc l m (( inj 2 y)) x 3 ’ 

AD-++r Q Z x l m (into .1 .m (inji xi) x 2 ) = into l m (inji xi) (Ad-oo+r (PI Q x±) Z x l m 
AD-++r Q Z x l m (into .1 .m (inj 2 y) x 2 ) = into l m (inj 2 y) (AD-+oor Q (PI Z y) x l m x 2 ) 
An-++r Q Z x .[] .(just (inji (inji x))) (terc (inji (inji zero))) = terc (inji zero) 

AD-++r Q Z x .[] .(just (inj x (inji x))) (terc (inji (inji (sue ())))) 

AD-++r Q Z x .[] .(just (inji (inj 2 (PT Q y)))) (terc (inji (inj 2 y))) = terc (inj 2 (inji y)) 

AD-++r Q Z x .[] .(just (inj 2 (PT Z y))) (terc (inj 2 y)) = terc (inj 2 (inj 2 y)) 


AD+-+r : {lu : LUniv}{co ci c 2 : Choice}(P : Process+ oo { lu } c 0 ) 

(Z : Process+ oo {lu} c 2 ) 

(x : ChoiceSet ci) 

—> (l : List (Label lu)) 

—y (m : Maybe maybeExtC) 

—> ( tr : Tr+ l m (addTimed/ + (inj 2 x) (fmap+ inji P) n ++ Z)) 

—y Tr+ l m (fmap+ Assttlr (P □++ addTimed/ + (inji x) (fmap+ inj 2 Z))) 
AD+-+r P Z x .[] .nothing empty = empty 
AD+-+r P Z x .(Lab P X\ :: l) m (extc l .m (inji £i) x 2 ) = let 

x ’: Troo l m (fmapoo in 

x’ = x 2 

X 3 : Troo l m (fmapoo ( 
X 3 = lemFmapoo inji inj 

x\ ’: Troo l m (fmapoo ( 
X\ ’ = lemFmapoo inji 

x 2 ’: Troo l m (fmapoo l 
x 2 ’ = lemFmapooR inji / 

in extc l m (inji ^i) x 2 ’ 

AD+-+r P Z x .(Lab Z y :: 1 ) m (extc l .m (inj 2 y) x 2 ) = let 

x ’: Troo l m (fmapoo inj 2 

x’ = x 2 


o 


-o 
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x 2 ’: Troo l m (fmapoo (Assttlr o inj 2 ) (fm, 
x 2 ’ = lemFmapooR inj 2 (Assttlr o inj 2 ) (PE 
x 3 ’: Troo l m (fmapoo Assttlr (fmapoo inj 
x 3 ’ = lemFmapooR inj 2 Assttlr (fmapoo inj 
in extc l m (( inj 2 y )) x 3 ’ 

ADH — Fr P Z x l m (into .1 .m (inji x\) X2) = into l m (inji x x ) (AD oo-+r (PI P x 1) Z x l m x 2 ) 

AD+-+r P Z x l m (into .1 .m ( inj 2 y) x 2 ) = into l m (inj 2 y) (AD+-oor P (PI Z y) x l m x 2 ) 

AD 4 —Fr P Z x .[] .(just (inji (inj 2 x))) (terc (inji (inji Xi))) = terc (inj 2 (inji zero)) 

ADH—Fr P Z x .[] .(just (inji (inji (PT P y)))) (terc (inji (inj 2 y))) = terc (inji y) 

ADd—Fr P Z x .[] .(just (inj 2 (PT Z y))) (terc (inj 2 y)) = terc (inj 2 (inj 2 y)) 


An-Foo-r : {lu : LUniv}{c 0 Ci c 2 : Choice}(P : Process-F 00 { lu } c 0 ) 

(Q : Processoo 00 { lu } ci) 

—F (m : Maybe maybeExtC) 

—y (l : List (Label lu)) 

—> (x : ChoiceSet c 2 ) 

—F (x 2 : Troo l m (addTimed/00 (inj 2 x) (fmapoo inji (P n-Foo-F Q )))) 

—F Troo l m (fmapoo Assttlr (P n-Foo-F addTimed/00 (inj 2 x) (fmapoo inji (Q )))) 
An-Foo-r P Q m l x (tnode tr) = tnode (An-Fp-r P (forcep Q) m l x tr) 


Anoo-F-r : {lu : LUniv}{c 0 Ci c 2 : Choice}(P : Processoo 00 {lu} c 0 ) 

(Q : Process-F 00 {lu} ci) 

—F (m : Maybe maybeExtC) 

—F (l : List (Label lu)) 

— F (.7; : ChoiceSet c 2 ) 

—F (,7> 2 : Troo l m (addTimed/00 (inj 2 x) (fmapoo inji (P noo-Fd- Q)))) 

—F Troo l m (fmapoo Assttlr (P Hoo-Fd- addTimed/-F (inj 2 x) (fmapd- inji Q))) 
AHoo-F-r P Q m l x (tnode tr) = tnode (Anp-F-r (forcep P) Q m l x tr) 


An-oo-Fr : {lu : LUniv}{c 0 ci c 2 : Choice}(Q : Processoo 00 {lu} c 3 ) 

(Z : Process-F 00 {lu} c 2 ) 

—F (x : ChoiceSet c 0 ) 

—F (l : List (Label lu)) 

—F (m : Maybe ((ChoiceSet c 0 ttl ChoiceSet ci) ttl ChoiceSet c 2 )) 

—F (a^ : Troo l m (addTimed/00 (inji x) (fmapoo inj 2 Q) noo-Fd- Z)) 

—F Troo l m (fmapoo Assttlr (addTimed/00 (inji x) (fmapoo inj 2 ( Q noo-Fd- Z)))) 


a 


-o 







638 


A.71. proofAssExt.agda 
o-o 


AD-oo/r Q Z x l m 

tr = AD-p/r (forcep Q) Z x l m tr 

ADoo-/r : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Processoo oo {lu} c 0 ) 

(Z : Process/ oo {lu} c 2 ) 

—> (x : 

ChoiceSet ci) 

-t (/ : 

List (Label lu)) 

—> (m : 

Maybe maybeExtC) 

-t ( x 2 

: Troo l m (addTimed/oo (inj 2 x) (fmapoo injx (P)) Doo// Z)) 


—t Troo l m (fmapoo Assttlr (P Doo// addTimed/ / (injx x ) (fmap+ inj 2 Z ))) 
ADoo-/r P Z x l m tr = tnode (ADp-/r ((forcep P)) Z x l m tr) 


An/-oor : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process/ oo { lu } c 0 ) 

(Z : Processoo oo {lu} c 2 ) 

—t (x : ChoiceSet ci) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—y (x 2 : Troo l m (addTimed/ + (inj 2 x) (fmap+ inji P) D+oo+ Z)) 

—> Troo l m (fmapoo AssWr (P D+oo+ addTimed/oo (inji x) (fmapoo inj 2 (Z) 
An+-oor P Z x l m tr = AD+-pr P (forcep Z) x l m tr 


AD-+oor : {lu : LUniv}{c 0 C\ c 2 : Choice}(Q : Process/ oo {lu} ci) 

(Z : Processoo oo {lu} c 2 ) 

—>• (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—>• (m : Maybe maybeExtC) 

—»■ {x 2 : Troo l m (addTimed/ + (injx x) (fmap+ inj 2 Q) n+oo+ /)) 

—>• Troo l m (fmapoo Assttlr (addTimed/oo (injx x) (fmapoo inj 2 ( Q D+oo+ Z) 
An-+oor Q Z x l m (tnode tr) = tnode (AD-+pr Q (forcep Z) x l m tr) 


ADp+-r : {lu : LUniv}{c 0 C\ c 2 : Choice}(F : Process oo c 0 ) 

( Q : Process/ oo {lu} ci) 

—> (m : Maybe maybeExtC) 

-/ (l : List (Label lu)) 

-/ (x : ChoiceSet c 2 ) 

—> (x 2 : Tr/ l m ((addTimed// (inj 2 x) (fmap/ injx (P n p// Q ))))) 

—> Tr/ l m (fmap/ Assttlr (P Dp// addTimed// (inj 2 x) (fmap/ injx Q))) 


a 


-o 
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ADp+-r (terminate x) Q m l x\ x 2 = AD-+-r Q x\ x l m x 2 
ADp+-r (node x) Q m l x\ x 2 = AD++-r x Q ml x1X2 

AD+p-r : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process/ 00 {lu } c 0 ) 

( Q : Process 00 c\) 

—)■ (m : Maybe maybeExtC) 

—>• (l : List (Label lu)) 

-+ (x : ChoiceSet c 2 ) 

—> (X2 : Tr+ l m ((addTimed/ + (inj 2 x) (fmap+ inji (P D+p+ Q ))))) 

—> Tr+ l m (fmap+ AssWr (P D+p+ addTimed/ (inj 2 x) (fmap inji Q))) 
AD+p-r P (terminate x) m l x 1 x 2 = ADH—r P m l x x\ x^ 

AD+p-r P (node x) m l x\ x 2 = AD++-r P x m l x\ x 2 

AD+-pr : {lu : LUniv}{co c\ c 2 : Choice}(P : Process+ 00 {lu} cq) 

(Z : Process 00 c 2 ) 

-+ (x : ChoiceSet c\) 

-+ (l : List (Label lu)) 

-+ (m : Maybe maybeExtC) 

—)• ( X2 : Tr l m (node (addTimed/ + (inj 2 x) (fmap+ inji P) n+P+ Z))) 

—> Tr l m (node (fmap+ Assttlr (P D+p+ addTimed/ (inji x) (fmap inj 2 Z)))) 
AD+-pr P (terminate x) x\ l m x^ = tnode (AD+— rr P m l x\ x x 2 ) 

AD+-pr P (node x) X\ l m (tnode tr) = tnode (AD+-+r P x x 1 l m tr) 

AD-+pr : {lu : LUniv}{co ci c 2 : Choice}(Q : Process/ 00 {lu} ci) 

(/ : Process 00 c 2 ) 

-+ (x : ChoiceSet c 0 ) 

-+ (l : List (Label lu)) 

-+ (m : Maybe maybeExtC) 

-+ (tr : Tr+ l m ((addTimed/ + (inji x) (fmap+ inj 2 Q) D+p+ Z))) 

—> Tr+ l m ((fmap+ AssWr (addTimed/ + (inji x) (fmap+ inj 2 ( Q D+p+ /))))) 
AD-+pr Q (terminate x) x± l m tr = AD-+-r Q x x\ l m tr 

AD-+pr Q (node x) X\ l m tr = AD-++r Q x X\ l m tr 

ADp-+r : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Process 00 Co) 

(Z : Process/ 00 {lu} c 2 ) 

-+ (x : ChoiceSet ci) 

-+ (l : List (Label lu)) 

-+ (m : Maybe maybeExtC) 

—> (X2 : Tr l m (node (addTimed/ (inj 2 x) (fmap inji P) n P++ Z))) 


a 


-o 
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—> Tr+ l m ((fmap+ Assl±)r (P Dp++ addTimed/ + (inji x) (fmap+ inj 2 /)))) 
ADp-+r (terminate x) Z x\ l m x 2 = Ad—+rr Z x\ x l m X2 

ADp-+r (node x) Z x\ l m (tnode tr) = AD+-+r x Z x 1 l m tr 

AD-p+r : {lu : LUniv}{co c\ c 2 : Choice}^ : Process 00 c\) 

(Z : Process+ 00 {lu} c 2 ) 

—> (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—>• (m : Maybe ((ChoiceSet c 0 W ChoiceSet ci) l±l ChoiceSet c 2 )) 

—> (tr : Tr l m (node (addTimed/ (inji x) (fmap inj 2 Q) Dp++ Z))) 

—)■ Tr l m (node (fmap+ AssWr (addTimed/ + (inji x) (fmap+ inj 2 ( Q dp++ 2 
AD-p+r (terminate q) Z x l m tr = tnode (AD— +rrrr Z q x l m tr) 

AD-p+r (node q) Z x l m (tnode tr) = tnode (AD-++r q Z x l m tr) 

AD-+-r : {lu : LUniv}{c 0 <+ c 2 : Choice }(<5 : Process+ 00 {lu} ci) 

—> (rci : ChoiceSet c 0 ) 

-+ (x : ChoiceSet c 2 ) 

—y ( l : List (Label lu)) 

-+ (m : Maybe maybeExtC) 

—> ( X2 : Tr+ l m (addTimed/ + (inj 2 x\) (fmap+ inji (addTimed/ + (inji x) 
— y Tr+ l m (fmap+ Assttlr (addTimed/ + (inji x) (fmap+ inj 2 (addTimed/ + (i 
AD-+-r Q x 1 x .[] .nothing empty = empty 

AD-+-r Q x1 x .(Lab Q X2 :: l) m (extc l .m x^ x 3 ) = let 

x’ : Troo l m (fma| 

x’ = x 3 

x\ ’: Troo l m (fm; 
Xi ’ = lemFmapoo i 

x 2 ’ ' Troo l m (fm; 
x 2 ’ = lemFmapooR 

x 3 ’ : Troo l m (frm 
x 3 ’ = lemFmapooR 

i n extc l m x 2 x 3 ’ 


AD-+-r 

Q 

Xi 

X 

l m (intc 

: .1 .m x 2 x 3 ) = intc 

l m x 2 (AD-oo-r (PI Q x 2 ) m l x x\ x 3 ) 

AD-+-r 

Q 

Xi 

X 

■0 

.(just 

(inj 2 xi)) (terc (inji 

zero)) = terc (inj 2 (inji zero)) 

AD-+-r 

Q 

Xi 

X 

■0 

.(just 

(inj 2 xi)) (terc (inji 

(sue ()))) 

AD-+-r 

Q 

Xi 

X 

■[] 

.(just 

(inji (inji a:))) (terc 

(inj 2 (inji zer0 ))) = terc (inji zero) 

AD-+-r 

Q 

Xi 

X 

■[] 

.(just 

(inji (inji x))) (terc 

(inj 2 (inji (sue ())))) 


o 


-o 
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AD-+-r Q x! x .[] .(just (inji (inj 2 (PT Q y )))) (terc (inj 2 (inj 2 y ))) = terc (inj 2 (inj 2 y)) 


AD+-r : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process+ oo { lu } c 0 ) 

—>• (m : Maybe maybeExtC) 

— y (l : List (Label lu)) 

—> (x : ChoiceSet c\) 

—y (ay : ChoiceSet c 2 ) 

—> (x2 : Tr+ l m (addTimed/ + (inj 2 x 1 )(fmap+ inji (addTimed/ + (inj 2 x) (fmap+ inj 
— > Tr+ l m (fmap+ AssWr (P □++ fmap+ unifyAttlA ( 2 -/ + (inj 2 xi) (inji x)))) 

AD+-r P .nothing .[] x x\ empty = empty 

Am+—r P m .(Lab P x^ :: l) x X\ (extc l .m x 2 x%) = let 

x ’: Troo l m (fmapoo inj x (fmap 

x’ = x 3 

x ’ 3 : Troo l m (fmapoo (inji ° inj 
x ’ 3 = lemFmapoo inji inji (PE P 

Xi ’: Troo l m (fmapoo (AssWr o 
x\ ’ = lemFmapoo inji inji (PE 

X2 ’: Troo l m (fmapoo AssLtJr (fn 
a> 2 ’ = lemFmapooR inji Assttlr (P 

in extc l m (inji £2) x 2 ’ 

AD+~r P m l x x\ (intc .1 .m x 2 x 3 ) = intc l m (inji £2) (AlHoo— rr (PI P x 2 ) ml x x 1 x 3 ) 

AD+—r P .(just (inj 2 xi)) .[] x x\ (terc (inji zero)) = terc (inj 2 zero) 

A□ -} r P .(just (inj 2 ^i)) .[] x x\ (terc (inji (sue ()))) 

AD+—r P .(just (inji (inj 2 x))) .[] x X\ (terc (inj 2 (inji zer0 ))) = terc (inj 2 (sue zero)) 

AD+-r P .(just (inji (inj 2 x))) .[] x x x (terc (inj 2 (inji (sue ())))) 

AD+- r P .(just (inji (inji (PT P y)))) .[] x x 1 (terc (inj 2 (inj 2 y))) = terc (inji y) 

AD+—rr : {lu : LUniv}{co C\ c 2 : Choice}(P : Process+ 00 {lu} cq) 

—> (m : Maybe maybeExtC) 

—> ( l : List (Label lu)) 

—> (x'i : ChoiceSet c\) 

—> (x : ChoiceSet c 2 ) 

—> (x 2 : Tr l m (node (addTimed/ + (inj 2 x) (fmap+ inji (addTimed/ + (inj 2 x\) (fmap 
—y Tr+ l m (fmap+ Assl+lr (P □++ fmap+ unifyAWA ( 2 -/ + (inji £1) (inj 2 x)))) 

AD+—rr P .nothing .[] x X\ (tnode empty) = empty 

AD+—rr P m .(Lab P x 2 :: l) x x\ (tnode (extc l .m x 2 x 3 )) = let 


a 


o 
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x’ : Troo l m (fmapoo in 

x’ = x 3 

x ’ 3 : Troo l m (fmapoo ( 
x’s = lemFmapoo inji inj 

Xi ’: Troo l m (fmapoo ( 
X\ ’ = lemFmapoo inj] 

X2 ’ : Troo l m (fmapoo / 
x 2 ’ = lemFmapooR inji / 

in extc l m (inj] x 2 ) X2 ’ 

ADH—rr P m l x Xi (tnode (into .1 .m X2 x 3 )) = into l m (inj] a^) (ADoc—r (PI P 

AD+-rr P .(just (inj 2 xi)) .[] x x\ (tnode (terc (inji zero))) = terc (i nj 2 (sue zero)) 

ACM—rr P .(just (inj 2 xi)) .[] x x\ (tnode (terc (inji (sue ())))) 

ACM—rr P .(just (inji (inj 2 x))) .[] x x\ (tnode (terc (inj 2 (inji zero)))) = terc (inj 2 zero) 

A CM—rr P .(just (inji (inj 2 x))) .[] x x x (tnode (terc (inj 2 (inji (sue ()))))) 

ADH—rr P .(just (inji (inji (PT P y)))) .[] x x x (tnode (terc (inj 2 (inj 2 y)))) = terc (inji y) 


ADH— s r : {lu : LUniv}{c 0 C\ c 2 : Choice}(.P: Process+ 00 {lu} c 0 ) 

—> (m : Maybe maybeExtC) 

—y (l : List (Label lu)) 

—> (x : ChoiceSet ci) 

—>■ (x'i : ChoiceSet c 2 ) 

— > (x 2 : Tr+ l m (fmap+ AssWr (P □++ fmap+ unifyAWA ( 2 -/ + (inji %) (inj 2 
—> Tr+ l m (fmap+ AssWr (P □++ fmap+ unifyAl±)A ( 2 -/ + (inj 2 x \) (inji %))) 
ACM— s r P .nothing .[] x x\ empty = empty 
ACM— s r P m .(Lab P x 2 :: l) x x\ (extc l .m (inji £2) tr) = let 

x’ : Troo l m (fmapoo A 
x’ = tr 

x 3 : Troo l m (fmapoo ( 
x 3 = lemFmapoo inji As 

x 2 ’: Troo l m (fmapoo / 
x 2 ’ = lemFmapooR inji f 

in extc l m (inji £2) x 2 ’ 


o 


-o 
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ADH — s r P m .(Lab ( 2 -/ + (inji x) (inj2 ay)) _ :: l\) x ay (extc 4 .m (inj 2 ()) tr) 

AlHH — s r P m l x X\ (intc .1 .m (inji a: 2 ) tr) = intc l m (inji x 2 ) (ADcxj—^r (PI Fa^) rah ay tr) 

Any — s r P m l x X\ (intc .1 .m (inj 2 ()) tr) 

Any— s r P .(just (inji (inji (PT P x 2 )))) .[] x ay (terc (inji ay)) = terc (injx x 2 ) 

An+~ s r P .(just (inji (inj 2 a;))) .[] x x\ (terc (inj 2 zero)) = terc (inj 2 (sue zero)) 

Amy— s r P .(just (inj 2 ay)) .[] a: ay (terc (inj 2 (sue zero))) = terc (inj 2 zero) 

ACM— s r P .(just (AssWr (inj 2 (unifyAl±lA (PT ( 2 -/ + (inji x) (inj 2 ay)) (sue (sue _))))))) .[] x ay (terc 


AD—+r : {lu : LUniv}{co cy c 2 : Choice}(Z : Processy- oo {lu} c 2 ) 

(q : ChoiceSet C\ ) 

—> (x : ChoiceSet c 0 ) 

—y ( l : List (Label lu)) 

—> (m : Maybe ((ChoiceSet c 0 W ChoiceSet c x ) l±l ChoiceSet c 2 )) 

—>■ ( tr : Tr+ l m (fmap+ unifyAl+lA ( 2 -/ + (inji x) (inj 2 q)) □++ Z)) 

Tr+ l m (fmap+ Assl+lr (addTimed/ + (inji x) (fmap+ inj 2 (addTimed/ + (inji q) (ft 
AD—+r Z q x .[] .nothing empty = empty 

AD—|-r Z q x .(Lab ( 2 -Z + (inji x) (inj 2 q)) _ :: / x ) m (extc 4 .m (inji ()) tr) 

AD—+r Z q x .(Lab Z y :: l) m (extc l .m (inj 2 y) tr) = let 

x’ : Troo l m (fmapexa inj 2 (PE Z y)) 

x’ = tr 

x 2 ’: Troo l m (fmapoo (AssWr o inj 2 ) (fm, 
x 2 ' = lemFmapooR inj 2 (AssWr o inj 2 ) (PE 
x 3 ’: Troo l m (fmapoo Asstilr (fmapoo inj 
x'3 ; = lemFmapooR inj 2 AssWr (fmapoo inj 

in extc l m y ay ’ 

AD--+r Z q x l m (intc .1 .m (inji ()) tr) 

AD—+r Z q x l m (intc .1 .m (inj 2 y) tr) = intc l m y (Ad— oor (PI Z y) q x l m tr) 

AD—+r Z qx .[] .(just (inji (inji z))) (terc (inj x zero)) = terc (inj x zero) 

AD—hr Z q x .[] .(just (inji (inj 2 q))) (terc (inji (sue zero))) = terc (inj 2 (inji zero)) 

An—hr Z qx .[] .(just (inji (unifyAl±)A (PT ( 2 -/ + (inji x) (inj 2 q)) (sue (sue -)))))) (terc (inji (sue ( 

Ad—+r Z q x .[] .(just (inj 2 (PT Z y))) (terc (inj 2 y)) = terc (inj 2 (inj 2 y)) 


Ad—+rr : {lu : LUniv}{c 0 c,\ c 2 : Choice}(Z : Process+ oo {lu} c 2 ) 

—> (xi : ChoiceSet c x ) 

—> (x : ChoiceSet c 0 ) 

—y (l : List (Label lu)) 

—>• (m : Maybe ((ChoiceSet c 0 W ChoiceSet c\) l±l ChoiceSet c 2 )) 

—y (tr : Tr l m (node (fmap+ unifyAttlA (2-/ + (inj 2 ay) (inji x)) n++ Z))) 


a 


-o 
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—> Tr+ l m (fmap+ AssWr (addTimed/ + (inji x ) (fmap+ inj 2 (addTimed/ + (i 
AD— Frr Z x\ x .[] .nothing (tnode empty) = empty 

AD— Frr Z x\ x .(Lab (2-/ + (inj 2 x x ) (inji a:)) _ :: 4) m (tnode (extc 4 .m (inji ()) tr)) 

An— +rr Z X\ x .(Lab Z y :: /) m (tnode (extc l .m (inj 2 y) tr)) = let 

x ’: Troo l m (fmapoo inj 2 (PE Z 

x’ = tr 


x 2 ’: Troo l m (fmapoo (AssWr o i 
x 2 ’ = lemFmapooR inj 2 (Assl+lr o 
X3 ’: Troo l m (fmapoo AssWr (fm 
xs’= lemFmapooR inj 2 AssWr (frr 
in extc l m 


An —Frr Z X\ x l m (tnode (intc .1 .m (inji ()) tr)) 

An —|-rr Z xi x l m (tnode (intc .1 .m (inj 2 y) tr)) = intc l m y (An— oorrr (PI Z y) x a 

An —Frr Z x\ x .[] .(just (inji (inj 2 £i))) (tnode (terc (inji zer0 ))) = t erc (inj 2 (inji zero)) 

An —Frr Z x\ x .[] .(just (inji (inji %))) (tnode (terc (inji (sue zero)))) = terc (inji zero 
An —|-rr Z xi x .[] .(just (inji (unifyAWA (PT (2-/ + (inj 2 x\) (inji %)) (sue (sue -)))))) (tno< 

An —|-rr Z x x x .[] .(just (inj 2 (PT Z y))) (tnode (terc (inj 2 y))) = terc (inj 2 (inj 2 y)) 


An —Frrrr : {lu : LUniv}{co ci c 2 : Choice}(Z : Process+ oo { lu } c 2 ) 

-> (q : ChoiceSet ci) 

— y (x : ChoiceSet c 0 ) 

—t ( l : List (Label lu)) 

—> (m : Maybe ((ChoiceSet c 0 l±) ChoiceSet ci) l±) ChoiceSet c 2 )) 

—> {tr : Tr l m (node (fmap+ unifyAttlA (2-/ + (inji x) (inj 2 q)) n++ Z))) 

—y Tr+ l m ((fmap+ AssWr (addTimed/ + (inji x) (fmap+ inj 2 (addTimed/ + ( 
An —Frrrr Z q x .[] .nothing (tnode empty) = empty 

An —Frrrr Z q x .(Lab (2-/ + (inji x ) ( inj 2 q)) - '■ 4) m (tnode (extc 4 - m (inji ()) tr)) 

An —Frrrr Z q x .(Lab Z y :: /) m (tnode (extc l .m (inj 2 y) tr)) = let 

x’: Troo l m (fmapoo inj 2 (PE Z 

x’ = tr 

x 2 ’: Troo l m (fmapoo (Assttlr o i 
x 2 ’ = lemFmapooR inj 2 (Assl±)r o 
^3 ’: Troo l m (fmapoo Assttlr (fm 
X3 ’ = lemFmapooR inj 2 AssWr (frr 

in extc l m y Xj, ’ 

An —Frrrr Z q x l m (tnode (intc .1 .m (inji ()) tr)) 

AD—brrrr Z q x l m (tnode (intc .1 .m (inj 2 y) tr)) = intc l m y (Ad— oorrrrr (PI Z y) x q l rr< 

AD—Krrrr Z q x .\\ .(just (inji (inji x))) (tnode (terc (inji zero ))) — terc (inji zero) 


o- 


o 
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AD—|-rrrr Z q x .[] .(just (inji (inj 2 q ))) (tnode (terc (inji (sue zero)))) = terc (inj 2 (inji zero)) 

AD—|-rrrr Z q x .[] .(just (inji (unifyAttlA (PT (2-/ + (injx x) (inj 2 q)) (sue (sue _)))))) (tnode (terc ( 

AD-+rrrr Z q x .[] .(just (inj 2 (PT Z y))) (tnode (terc (inj 2 y))) = terc (inj 2 (inj 2 y)) 


AD—+ s rr : {lu : LUniv}{c 0 Ci c 2 : Choice}(Z : Process+ oo { lu } c 2 ) 

—>■ ( x : ChoiceSet c 0 ) 

—>• (ay : ChoiceSet ex) 

—> (l : List (Label lu)) 

—>• (m : Maybe ((ChoiceSet Co l±) ChoiceSet ex) l±l ChoiceSet c 2 )) 

—> ( X2 : Tr+ l m ((fmap+ unifyAttlA ( 2 -/ + (inj 2 ay) (injx %)) □++ Z))) 

—> Tr l m (node (fmap+ Assttlr (addTimed/ + (injx x) (fmap+ inj 2 (addTimed/ + (injx 
An~+ S rr Z x ay .[] .nothing empty = tnode empty 

An~+ S rr Z x ay .(Lab ( 2 -/ + (inj 2 o:x) (injx %)) - "■ h) m (extc 4 .m (inji ()) tr) 

AD--+ S rr Z x ay .(Lab Z y :: l) m (extc l .m (inj 2 y) tr) = let 

x’ : Troo l m (fmapoo inj 2 (PE Z y)) 

x’ = tr 


X2’ : Troo l m (fmapoo (AssWr o inj 2 ) (fm; 
X2 ’ = lemFmapooR inj 2 (Assttlr o inj 2 ) (PE 
X3’: Troo l m (fmapoo Assl±)r (fmapoo inj 
^ 3 ,= lemFmapooR inj 2 AssWr (fmapoo inj 
in tnode (extc l m y x 3 ’) 


Am~+ S rr Z x X\ l m (intc .1 .m (injx ()) tr) 

AD—F s rr Z x x 1 l m (intc .1 .m (inj 2 y) tr) = tnode (intc l m y (An— oo£rrrrrrrr (PI Z y) x x 1 l m tr)] 
An~+ S rr Z x ay .[] .(just (injx (inj 2 ay))) (terc (injx zero)) = tnode (terc (inj 2 (injx zero))) 

An— + s rr Z x ay .[] .(just (injx (inji 2;))) (terc (injx (sue zero))) = tnode (terc (injx zero)) 

An —F s rr Z x ay .[] .(just (injx (unifyAl±lA (PT (2-/ + (inj 2 xi) (injx x)) (sue (sue _)))))) (terc (injx (s 

An~+ S rr Z xx 1 .[] .(just (inj 2 (PT Z y))) (terc (inj 2 y)) = tnode (terc (inj 2 (inj 2 y))) 


AH-oo-r : {lu : LUniv}{co ex c 2 : Choice}(Q : Processoo 00 {lu} ex) 

—y (m : Maybe maybeExtC) 

—> (l : List (Label lu)) 

—>• {x : ChoiceSet c 0 ) 

—> (x\ : ChoiceSet c 2 ) 

—)• (0:3 : Troo l m (addTimed/ 00 (inj 2 x \) (fmapoo injx (addTimed/ 00 (injx x ) (fmapoo 
— > Troo l m (fmapoo AssWr (addTimed/ 00 (injx x ) (fmapoo inj 2 (addTimed/ 00 (inj 2 x \ 

AH-oo-r Q m l x ay tr = An-p-r (forcep Q) ay x l m tr 


a 


-o 
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A moo—r : {lu : LUniv}{c 0 c\ c 2 : Choice}(F : Processoo 00 {lu} Co) 

—> (m : Maybe maybeExtC) 

—> ( l : List (Label lu)) 

—> (x : ChoiceSet ex) 

—v (xi : ChoiceSet c 2 ) 

— >■ ( X3 : Troo l m (addTimed/ 00 (inj 2 x) (fmapoo inji (addTimed/ 00 (inj 2 1 
—>• Troo l m (fmapoo Assttlr ( P Doo++ fmap+ unifyAWA ( 2 -/ + (inji x\) (inj 2 : 
Adoo—r P m l x X\ tr = Adp—rr (forcep P) X\ x l m tr 


Adoo—rr : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Processoo 00 {lu} c 0 ) 

—> (m : Maybe maybeExtC) 

—>• ( l : List (Label lu)) 

—y (x : ChoiceSet c\ ) 

—y (x\ : ChoiceSet c 2 ) 

—> ( xs : Troo l m (addTimed/00 (inj 2 xi)(fmapoo inji (addTimed/00 (inj 2 a 
—> Troo l m (fmapoo Asst+Jr (P doo++ fmap+ unifyAWA ( 2 -/ + (inj 2 x\) (inji • 
Adoo--rr P m l x x 1 tr = ADp—rrr (forcep P) x\ x l m tr -- 


Adoo~ s r : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Processoo 00 {lu} c 0 ) 

—> (m : Maybe maybeExtC) 

—> ( l : List (Label lu)) 

—> (x : ChoiceSet c\) 

—v (xi : ChoiceSet c 2 ) 

—j- (a: 3 : Troo l m (fmapoo AssWr ( P doo++ fmap+ unifyAWA ( 2 -/ + (inji x) ( 
—>■ Troo l m (fmapoo Asstfclr (P doo++ fmap+ unifyAWA ( 2 -/ + (inj 2 x\) (inji : 
Adoo-- s r P m l x X\ tr = Adp— s r (forcep P) x\ x l m tr 


Ad—oor : {lu : LUniv}{c 0 c x c 2 : Choice}(Z : Processoo 00 {lu} c 2 ) 

—> (q : ChoiceSet C \) 

—>• (x : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—>• (m : Maybe maybeExtC) 

—> (x 2 : Troo l m (fmap+ unifyAt+JA (2-/ + (injx x) (inj 2 q )) d+oo+ /)) 

—> Troo l m (fmapoo Asst±Jr (addTimed/ 00 (injx x) (fmapoo inj 2 (addTimed/oc 
AD—oor Z q x l m tr = Adp— s rrrr (forcep Z) x q l m tr -- 


a 


-o 
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AD—oorrr : {lu : LUniv}{c 0 C\ c 2 : Choice}(Z : Processcx) oo {lu} c 2 ) 

—> (x : ChoiceSet c 0 ) 

—t (xi : ChoiceSet ci) 

—t (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—> ( X2 : Troo l m (fmap+ unifyAttlA (2-/ + (inj 2 x\) (inji x)) d+oo+ Z)) 

—t Troo l m (fmapoo Assttlr (addTimed/oo (injx x)(fmapoo inj 2 (addTimed/oo (inji ay) 
AD—oorrr Z q x l m tr = Adp— s rrrrr (forcep Z) x q l m tr -- 


AD—oorrrr : {lu : LUniv}{c 0 C\ c 2 : Choice}(Z : Processoo oo {lu} c 2 ) 

—)■ ( x : ChoiceSet c 0 ) 

—t (xi : ChoiceSet ci) 

—> ( l : List (Label lu)) 

—t (m : Maybe maybeExtC) 

—> (j>2 ■ Troo l m (fmap+ unifyAttlA (2-/ + (inj 2 X\) (inji x)) d+oo+ Z)) 

—> Troo l m (fmapoo Assttlr (addTimed/oo (inji x)(fmapoo inj 2 (addTimed/oo (injx x\) 
AD—oorrrr Z q x l m tr = A Dp-- s rrrrr (forcep Z) x q l m tr -- 


AD—oorrrrr : {lu : LUniv}{c 0 ci c 2 : Choice}(Z : Processoo oo {lu} c 2 ) 

—t (x : ChoiceSet c 0 ) 

—> (q : ChoiceSet C\) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—> (j>2 ■ Troo l m (fmap+ unifyAttlA ( 2 -/ + (inj x x) (inj 2 q)) d+oo+ /)) 

—t Troo l m (fmapoo Assttlr (addTimed/oo (inji x)(fmapoo inj 2 (addTimed/oo (inji q) 
AD—oorrrrr Z q x l m tr = Adp— s rrrrrr (forcep Z) x q l m tr -- 

Ad—oo£rrrrrrrr : {lu : LUniv}{c 0 c\ c 2 : Choice}(Z : Processoo oo {lu} c 2 ) 

—y (x : ChoiceSet c 0 ) 

—y (ay : ChoiceSet c\) 

—> (l : List (Label lu)) 

—t (m : Maybe maybeExtC) 

—> (x2 : Troo l m (fmap+ unifyAttlA ( 2 -/ + (inj 2 ay) (inji x)) d+oo+ Z)) 

—> Troo l m (fmapoo Assttlr (addTimed/oo (inji a;)(fmapoo inj 2 (addTimed/oo (inji ay) 
Ad—oo£rrrrrrrr Z q x l m tr = Adp— s rrrrrrrrr (forcep Z) x q l m tr -- 

Adp—rr : {lu : LUniv}{co ci c 2 : Choice}(P : Process oo c 0 ) 


a 


-o 
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-> (x\ : ChoiceSet c 2 ) 

—> (x : ChoiceSet c \) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

->■ (a& : Tr l m ((addTimed/ (inj 2 x ) (fmap inji (addTimed/ (inj 2 x\) (fmap inj 
—> Tr l m (node (fmap+ AssWr (P Dp++ fmap+ unifyAWA (2-/ + (inji xi) (inj 
A Dp--rr (terminate x) X\ x 2 .[] .nothing (tnode empty) = tnode empty 

A Dp--rr (terminate x) X\ x 2 .(Lab (2-/ + (inj 2 a^) (inji x)) _ :: 4) m (tnode (extc 4 .m 0 tr) 
Anp—rr (terminate x) x\ x 2 l m (tnode (intc .1 .m 0 tr)) 

ADp— rr (terminate x) x\ x 2 .[] .(just (inj 2 x 2 )) (tnode (terc (inji zero))) = tnode (terc (inj 2 (s 

Anp— rr (terminate x) x\ x 2 .[] .(just (inj 2 x 2 )) (tnode (terc (inji (sue ())))) 

Anp— rr (terminate x) x\ x 2 .[] .(just (inji (inj 2 xi))) (tnode (terc (inj 2 zero))) = tnode (terc ( 

ADp—rr (terminate x) X\ x 2 .[] .(just (inji (inji ^))) (tnode (terc (inj 2 (sue zero)))) = tnode (l 

ADp—rr (terminate x) X\ x 2 .[] .(just (inji (unifyAl±lA (PT (2-/ + (inj 2 x±) (inji x)) (sue (sue . 

(tnode (terc ( 

ADp—rr (node x) x\ x 2 l m X3 = tnode (ACM —rr x m l x 1 x 2 X3) 


AOp—rrr : {lu : LUniv}{c 0 ci c 2 : Choice}(P : Process 00 cq) 

—y (xi : ChoiceSet c 2 ) 

—> (x : ChoiceSet ci) 

—y (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—> (x 3 : Tr l m ((addTimed/ (inj 2 a;i)(fmap inji (addTimed/ (inj 2 x) (fmap inj] 
— > Tr l m (node (fmap+ AssWr (P Dp++ fmap+ unifyAWA (2-/ + (inj 2 x\) (inj 
ADp—rrr (terminate x) x\ x 2 .[] .nothing (tnode empty) = tnode empty 
ADp—rrr (terminate x) x A x 2 .(Lab (2-/ + (inj 2 x 2 ) (inji %)) - 4) m (tnode (extc 4 -m, () tr 
ADp—rrr (terminate x) Xi x 2 l m (tnode (intc .1 .m 0 tr)) 

ADp—rrr (terminate x) X\ x 2 .[] .(just (inj 2 x\)) (tnode (terc (inj x zero))) = tnode (terc (inj 

ADp—rrr (terminate x) x\ x 2 .[] .(just (inj 2 xi)) (tnode (terc (inji (sue ())))) 

ADp—rrr (terminate x) x\ x 2 .[] .(just (inji (inj 2 ^2))) (tnode (terc (inj 2 zero))) = tnode (terc 

Anp—rrr (terminate x) x\ x 2 .[] .(just (inji (inji %))) (tnode (terc (inj 2 (sue zero)))) = tnode ( 

ADp—rrr (terminate x) X\ x 2 .[] .(just (inji (unifyAttlA (PT (2-/ + (inj 2 x 2 ) (inji %)) (sue (sue 

(tnode (ter 

ADp—rrr (node x) x\ x 2 l m (tnode x%) = tnode (AD+— r x ml x 2 x\ X3) 


ADp— s r : {lu : LUniv}{c 0 ci c 2 : Choice}(F : Process 00 c 0 ) 
—> (xi : ChoiceSet c 2 ) 


a 


-o 
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—» (x : ChoiceSet c x ) 

—» (l : List (Label lu)) 

—t (m : Maybe maybeExtC) 

—t (a; 3 : Tr l m (node (fmap+ Assttlr (P Dp++ fmap+ unifyAttlA (2-/ + (inj x x ) (inj 2 X\ 
—t Tr l m (node (fmap+ Assttlr (P Dp++ fmap+ unifyAttlA (2-/ + (inj 2 x\) (inji a;))))) 
ADp- s r (terminate x) x\ x 2 .[] .nothing (tnode empty) = tnode empty 

ADp- s r (terminate x) a; x x 2 .(Lab (2-/ + (inj x x 2 ) (inj 2 a; x )) _ :: 4) m (tnode (extc 4 .m 0 tr)) 

ADp— s r (terminate x) X\ x 2 l m (tnode (into .1 .m 0 tr)) 

ADp-sr (terminate x) X\ x 2 .[] .(just (inj x (inj x a;))) (tnode (terc (inj x zero))) = tnode (terc (inj x zero) 

ADp— s r (terminate a;) x\ x 2 .[] -(just (inj x (inj x x))) (tnode (terc (inj x (sue ())))) 

ADp— s r (terminate a;) x\ x 2 .[] .(just (inj x (inj 2 x 2 ))) (tnode (terc (inj 2 zero))) = tnode (terc (inj 2 (sui 

ADp— s r (terminate a;) x\ x 2 .[] .(just (inj 2 x \)) (tnode (terc (inj 2 (sue zero)))) = tnode (terc (inj 2 zero 

ADp- s r (terminate a;) X\ x 2 .[] .(just (Asstfclr (inj 2 (unifyAttlA (PT (2-/ + (inj x x 2 ) (inj 2 a; x )) (sue (sue 

(tnode (terc (inj 2 (s 

ADp- s r (node x) x\ x 2 l m (tnode tr) = tnode (ADH — x m l x 2 x\ tr) 

ADp— s rrrr : {lu : LUniv}{c 0 c x c 2 : Choice} (Z : Process oo c 2 ) 

—t (x : ChoiceSet c 0 ) 

—t (q : ChoiceSet c x ) 

—t (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—t (a; 3 : Tr l m (node (fmap+ unifyAttlA (2-/ + (inj x x) (inj 2 q )) D+p+ Z))) 

—t Tr l m (fmap Assttlr (addTimed/ (inj x a;)(fmap inj 2 (addTimed/ (inj x q) (fmap inj 2 Z))) 
ADp— s rrrr (terminate x) X\ q .[] .nothing (tnode empty) = tnode empty 

ADp— s rrrr (terminate x) X\ q .(Lab (2-/ + (inj x a; x ) (inj 2 q)) _ :: 4) rn (tnode (extc 4 -m, 0 tr)) 
ADp— s rrrr (terminate x) x\ ql m (tnode (intc .1 .m 0 tr)) 

ADp— s rrrr (terminate x) X\ q .[] .(just (inj 2 x)) (tnode (terc (inj x zero))) = tnode (terc (inj 2 (sue zero) 

ADp— s rrrr (terminate x) Xi q .[] .(just (inj 2 a;)) (tnode (terc (inj x (sue ())))) 

ADp— s rrrr (terminate x) X\ q .[] .(just (inj x (inj x a; x ))) (tnode (terc (inj 2 zero))) = tnode (terc (inj x zer 
ADp— s rrrr (terminate x) x\ q .[] .(just (inj x (inj 2 q))) (tnode (terc (inj 2 (sue zero)))) = tnode (terc (in 

ADp— s rrrr (terminate x) x\ q .[] .(just (inj x (unifyAttlA (PT (2-/ + (inj x x\) (inj 2 q)) (sue (sue -)))))) 

(tnode (terc (inj 2 (sue ( 

ADp— s rrrr (node x) X\ q l m (tnode tr) = tnode (AD— +r x qx\ l m tr) 

ADp— s rrrrr : {lu : LUniv}{c 0 c x c 2 : Choice} (Z : Process oo c 2 ) 

—t (x : ChoiceSet c 0 ) 

—t (q : ChoiceSet c x ) 

—> (l : List (Label lu)) 

—t (m : Maybe maybeExtC) 

—> (x 3 : Tr l m (node (fmap+ unifyAttlA (2-/ + (inj 2 x) (inj x q)) D+p+ Z))) 


a 


o 
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-> Tr l m (fmap Asstfclr (addTimed/ (inji g)(fmap inj 2 (addTimed/ (inji x) (fmap 
ADp— s rrrrr (terminate x) X\ q .[] .nothing (tnode empty) = tnode empty 
ADp— s rrrrr (terminate x) X\ q .(Lab (2-/ + (inj 2 x 3 ) (inji q)) _ :: li) m (tnode (extc 4 .m () 
ADp— s rrrrr (terminate x) X\ q l m (tnode (into .1 .m 0 tr)) 

ADp— s rrrrr (terminate x) x\ q .[] .(just (inj 2 x)) (tnode (terc (inji £2))) = tnode (terc (inj 2 (si 

ADp— s rrrrr (terminate x) x\ q .[] .(just (inji (inj 2 £1))) (tnode (terc (inj 2 zero))) = tnode (ter 

ADp— s rrrrr (terminate x) X\ q .[] .(just (inji (inji <?))) (tnode (terc (inj 2 (sue zero)))) = tnode 

ADp— s rrrrr (terminate x) X\ q .[] .(just (inji (unifyAttlA (PT (2-/ + (inj 2 X\) (inji <?)) ( suc (su 

(tnode (ten 

ADp— s rrrrr (node x) Xi q l m x 3 = tnode (AD— +rr x X\ q l m X3) 

ADp— s rrrrrr : {lu : LUniv}{c 0 c\ c 2 : Choice} (Z : Process 00 c 2 ) 

—>• (x : ChoiceSet c 0 ) 

—)■ (q : ChoiceSet c x ) 

—> ( l : List (Label lu)) 

—>• (m : Maybe maybeExtC) 

-> (xs : Tr l m (node (fmap+ unifyAttlA (2-/ + (inji q) (inj 2 x)) n+p+ Z))) 

—> Tr l m (fmap AssWr (addTimed/ (inji <?)(f ma P inj 2 (addTimed/ (inji x) (fm 
ADp— s rrrrrr (terminate x) Xi q .[] .nothing (tnode empty) = tnode empty 
ADp— s rrrrrr (terminate x) x\ q .(Lab (2-/ + (inji q) (inj 2 xi)) _ l\) rri (tnode (extc 4 .m () 

ADp— s rrrrrr (terminate x) X\ q l m (tnode (intc .1 .m 0 tr)) 

ADp— s rrrrrr (terminate x) x\ q .[] .(just (inj 2 x)) (tnode (terc (inji zer0 ))) = tnode (terc (inj 2 

ADp— s rrrrrr (terminate x) Xi q .[] .(just (inj 2 a;)) (tnode (terc (inji ( suc ())))) 

ADp— s rrrrrr (terminate x) Xi q .[] .(just (inji (inji <?))) (tnode (terc (inj 2 zero))) = tnode (ten 

ADp— s rrrrrr (terminate x) Xi q .[] .(just (inji (inj 2 £1))) (tnode (terc (inj 2 (suc zero)))) = tnoi 

ADp— s rrrrrr (terminate x) X\ q .[] .(just (inji (unifyAttlA (PT (2-/ + (inji q) (inj 2 Xi)) 

(suc (suc -)))))) (tnode ( 

ADp— s rrrrrr (node x) X\ q l m x 3 = tnode (AD— +rrrr x X\ q l m x 3 ) 


ADp— s rrrrrrrrr : {lu : LUniv}{co c\ c 2 : Choice} (/ : Process 00 c 2 ) 

—>■ (x : ChoiceSet c x ) 

— t (q : ChoiceSet c 0 ) 

—> (l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—t (£3 : Tr l m (node (fmap+ unifyAttlA (2-/ + (inj 2 x) (inji <?)) n +P+ Z))) 

—t Tr l m (fmap Assttlr (addTimed/ (inji <?)(f ma P inj 2 (addTimed/ (inji x) (fm 
ADp— s rrrrrrrrr (terminate x) X\ q .[] .nothing (tnode empty) = tnode empty 
ADp— s rrrrrrrrr (terminate x) X\ q .(Lab (2-/ + (inj 2 X\) (inji <?)) - :: 4) rn (tnode (extc 4 -m 
ADp— s rrrrrrrrr (terminate x) X\ q l m (tnode (intc .1 .m 0 tr)) 

ADp-- 5 rrrrrrrrr (terminate x) x\ q .[] .(just (inj2 x)) (tnode (terc (inji zero ))) — tnode (terc (ir 


o- 


■o 
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ADp—..rrrrrrrrr (terminate x) X\ q .[] .(just (inj 2 x)) (tnode (terc (inji (sue ())))) 

ADp— s rrrrrrrrr (terminate x) X\ q .[] .(just (inji (inj 2 Xi))) (tnode (terc (inj 2 zero))) = tnode (terc (inj 

ADp— s rrrrrrrrr (terminate x) X\ q .[] .(just (inji (inji <?))) (tnode (terc (inj 2 (sue zero)))) = tnode (terc 

ADp— s rrrrrrrrr (terminate x) X\ q .[] .(just (inji (unifyAttlA (PT (2-/ / (inj 2 ^) (inji <?)) 

(sue (sue -)))))) (tnode (terc (inj 2 ( 
ADp— s rrrrrrrrr (node x) X\ q l m (tnode X3) = AD—/ s rr x qx\ l m X3 


AD-p-r : {lu : LUniv}{co Ci c 2 : Choice}(Q : Process 00 ci) 

—> (xi : ChoiceSet c 0 ) 

—> (x : ChoiceSet c 2 ) 

— y ( l : List (Label lu)) 

—> (m : Maybe maybeExtC) 

—)• ( x 3 : Tr l m (addTimed/ (inj 2 x\) (fmap inji (addTimed/ (inji x) (fmap inj 2 ( Q) 
—> Tr l m (fmap Asstfclr (addTimed/ (inji x) (fmap inj 2 (addTimed/ (inj 2 xi) (fmap inji 
AD-p-r (terminate x) x\ X2 .[] .nothing (tnode empty) = tnode empty 

AD-p-r (terminate x) x\ x 2 .(Lab (2-/ + (inji x 2 ) (inj 2 x)) _ :: 4) tr (tnode (extc 4 ■‘m 0 tr )) 

AD-p-r (terminate x) x\ x 2 l m (tnode (intc .1 .m 0 tr)) 

AD-p-r (terminate x) X\ x 2 .[] .(just (inj 2 cci)) (tnode (terc (inji zer0 ))) = tnode (terc (inj 2 zero)) 

AD-p-r (terminate x) x\ x 2 .[] .(just (inj 2 ^i)) (tnode (terc (inji ( suc ^3)))) = tnode (terc (inj 2 zero)) 

AD-p-r (terminate x) x\ x 2 .[] .(just (inji (inji ^2))) (tnode (terc (inj 2 zero))) = tnode (terc (inji zero) 
AD-p-r (terminate x) x\ x 2 .[] .(just (inji (inj 2 x))) (tnode (terc (inj 2 (suc zero)))) = tnode (terc (inj 2 

AD-p-r (terminate x) x\ x 2 .[] .(just (inji (unifyAttlA (PT (2-/ + (inji ^2) ( inj 2 x)) (suc (suc -)))))) 

(tnode (terc (inj 2 


AD-p-r (node x) X\ x 2 l m (tnode X3) = tnode (AD-+-r x X\ x 2 l m x%) 


--@BEGIN@AssExEqDef 


=AD+ : {lu : LUniv}{c 0 ci c 2 : Choice} 

(P : Process+ 00 {lu} c 0 ) 

(Q : Process/ 00 {lu} ci) 

(/ : Process/ 00 {lu} c 2 ) 

-/ ((P □// Q) □// Z) =/ fmap/ AssWr (P D// (Q D// Z )) 

--(SEND 


o- 


o 
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--@BEGIN@AssExEqDefProof 

=AD+ P Q Z= (AD+ P Q Z) , AD+r P Q Z 


--(SEND 


A. 72 proofBisimForlnterleaving.agda 


--@PREFIX@proofBisimForInterleaving 
module proofBisimForlnterleaving where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Sum 

mport renamingResult 

mport lemFmap 

mport auxData 

mport interleave 

mport RefWithoutSize 

mport bisimilarity 

mport bisimSImpliesBisimw 

mport bisimilarityProofs 

mport bisimlmpliesTraceEquiv 

mport bisimLemFmap 

mport bisimlmpliesFDI 

mport fdiRefusal 

mport bisimlmpliesBisim 

mport labelUniv 

mport bisimlmpliesFDIPartTwo 

mport bisimlmpliesTraceEquiv 

mport traceEquivalence 

mport bisimwImpliesStableFailuresEquivalence 


mutual 

--@BEGIN@SymIntBisim 


a 


-o 
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C|||+ : {lu : LUniv} {c 0 Ci : Choice} 

(P : Process+ oo {lu} c 0 ) 

(Q : Process+ oo {lu} ci) 

->• Bisims+ (P |||++ Q) (fmap+ swapx (Q |||++ P)) 


--0END 


--@BEGIN@SymIntBisimProof 

bisim 2 E (C|||+ P Q ) (inji x) = inj 2 x 

bisim2E (C|jj+ P Q) (inj 2 y ) = inji y 

bisimELab (Cj|| + P Q ) (inji x) = refl 

bisimELab (Cj|| + P Q ) (inj 2 y) = refl 

bisimENext (C|||+ P Q ) (inji x) = C|||oo+ (PE P x) Q 

bisimENext (C|||+ P Q ) (inj 2 y) = C|||+oo P (PE Q y) 

bisi m2 1 (C|jj+ P Q) (inji x) = inj 2 x 

bisi m21 (C|||+ P Q) (inj 2 y) = inji y 

bisimlNext (C|||+ P Q ) (inji x) = Cj||oo+ (PI P x) Q 

bisimlNext (C|jj+ P Q) (inj 2 y) = C|||+oo P (PI Q y) 

bisim 2 T (C|jj+ P Q) (x „ xi) = (zi „ x) 

bisim 2 TEq (C|jj+ P Q ) (x „ xi) = refl 

bisim 2 Er (C|jj+ P Q) (inji x) = inj 2 x 

bisim2Er (C|jj+ P Q) (inj 2 y) = inji V 

bisimELabr (cjjj+ P Q) (inji x) = refl 

bisimELabr (Cj||+ P Q) (inj 2 y) = refl 

bisimENextr (C|||+ P Q ) (inji x) = C|||+oo P (PE Q x) 

bisimENextr (C|jj+ P Q) (inj 2 y) = C|||oo+ (PE P y) Q 

bisim2lr (C|j|+ P Q ) (inji x) = inj 2 x 

bisi m21 r (C|jj+ P Q) (inj 2 y) = inji y 

bisimlNextr (C|||+ P Q ) (inji x) = C|||+oo P (PI Q x) 

bisimlNextr (C|j|+ P Q ) (inj 2 y) = C|j|oo+ (PI P y) Q 

bisim2Tr (C|||+ P Q ) (x „ xi) = x\ „ x 

bisim2TEqr (C|jj+ P Q) (x „ Xi) = refl 


--OEND 


C||| : {lu : LUniv}{co ci : Choice} (P : Process oo {lu} cq ) (Q : Process oo {lu} ci) 


O- 


o 
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—>• Bisims (P HI Q ) (fmap swapx (Q ||| P)) 

C||| (terminate x) (terminate x\) = eqterminate 

C||| (terminate x) (node Xj) = eqnode (lemBisimFmap+ (X a —> a ,, x) swapx xi) 
C||| (node x) (terminate xi) = eqnode (lemBisimFmap+ (_,,_ xi) swapx x) 

C||| (node P) (node Q ) = eqnode (C|||+ P Q ) 


C111oo : {lu : LUniv}{c 0 C\ : Choice} (P : Processoo oo { lu } c 0 ) (Q : Processoo oo {/zx} Ci) 
—> Bisimsoo (P 1 11oo Q ) (fmapoo swapx (Q III 00 P)) 
forceB (C|||oo P Q ) = C||| (forcep P) (forcep Q ) 


C|||+p : {iw : LUniv}{c 0 ci : Choice} 

—>■ (P : Process+ oo {/n} c 0 ) 

—)• (Q : Process oo {lu} ci) 

—> Bisims+ (P |||+p Q) (fmap+ swapx (Q |||p+ P)) 
C|||+p P (terminate x) = lemBisimFmap+ (_,,_ x) swapx P 
cjjj+p P (node x) = C|||+ P x 

C111p+ : {lu : LUniv}{co c\ : Choice} 

—>■ (P : Process oo {/zx} c 0 ) 

(Q \ Process+ oo {lu} c\) 

—y Bisims+ (P |||p+ Q ) (fmap+ swapx (Q |||+p P)) 
C|||p+ (terminate x) Q = lemBisimFmap+ (X a —>■ a „ x) swapx Q 
C|||p+ (node P) Q = C|||+ P Q 

C11 |+oo : {lu : LUniv}{c 0 c,\ : Choice} 

—> (P : Process+ oo {lu} c 0 ) 

—» (Q : Processoo oo {/zx} ci) 

—>• Bisimsoo (P lll+oo Q) (fmapoo swapx (Q |||oo+ P)) 
forceB (C|||+oo P Q) = eqnode (C|||+p P (forcep Q)) 

C|||oo+ : {lu : LUniv}{co c\ : Choice} 

—>■ (P : Processoo oo {lu} c 0 ) 

—>■ (Q : Process+ oo {lu} ci) 

—> Bisimsoo (P 11 |oo+ Q ) (fmapoo swapx (Q |||+oo P)) 
forceB (C|||oo+ P Q) = eqnode (C|j|p+ (forcep P) Q) 


o 


-o 
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--@BEGIN(SSymIntBisimW 

SW|11 : {lu : LUniv}{co c\ : Choice} 

(P : Process oo {lu} c 0 ) 

(Q : Process oo {lu} Ci) 

—> Bisimw ( P ||| Q ) (fmap swapx ( Q ||| P )) 

--(SEND 

--@BEGIN(SSymIntBisimWProof 

SW|11 P Q = bisimsToBismw (P j|j Q ) 

(fmap swapx (Q ||| P)) (C||| P Q ) 


--(SEND 


- -@BEGIN(SSymIntBisimWR 


SW|1 1 r : {lu : LUniv} {c 0 c v : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : Process oo {lu} c\) 

—y Bisimw (fmap swapx ( Q ||| P)) (P ||| Q ) 
SW|11r P Q = BismwSym (P ||| Q ) 

(fmap swapx (Q ||| P)) (SW||| P Q ) 


--(SEND 


- -@BEGIN(SSymIntBisimTraceEq 

WbisimTraceEqFor|||’ : {lu : LUniv} {c : Choice} 

(P P’ : Process oo {lu} c ) 

-> (P HI P’) E (fmap swapx ( P ’ ||| P)) 
WbisimTraceEqFor) 11’ P P’ l m tr = bisimTraceEq (P ||| P’) 

(fmap swapx ( P ’ ||j P)) 


a 


o 
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(SWj|| P P’) Im tr 


--(SEND 


--(SBEGINGSymlntBismiWbisimTraceEqForR 

WbisimTraceEqFor|||r : {lu : LUniv}{c : Choice} 

(P P’ : Process oo { lu } c) 

—> (fmap swapx (P’ ||| P)) C (P j|| P’) 
WbisimTraceEqFor|||r P P’ l m tr = bisimTraceEq (fmap swapx (mm) 

(phi p ) 

(SWj || rP P’) l m tr 


--(SEND 


--(SBEGINGSymlntBisimWbisimFdione 

WbisimFdii|||’ : {lu : LUniv} {c : Choice} 

(P P’ : Process oo {lu} c ) 

—>■ (P |j| P’) Cfdii (fmap swapx (P’ ||| P)) 
WbisimFdiilH' P P’ l x = bisimlmTrD (P |j| P’) 

(fmap swapx (P’ ||| P)) 
(SW||| P P’) lx 


--(SEND 


--(SBEGINGSymlntBisimWbisimFdioneR 

WbisimFdi 1 111r : {lu : LUniv}{c : Choice} 

(P P ’: Process oo {lu} c ) 

—y (fmap swapx ( P’ ||| P)) Cfdii (P ||| P’) 
WbisimFdii111r P P’ l x = bisimlmTrD (fmap swapx ( P’ ||| P)) 

(P\\\P) 

(S W| 11 r P P’) lx 


--(SEND 


o- 


o 
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--(SBEGIN(SSymIntBisimWbisimFditwo 

WbisimFdi 2 111 ’ : {lu : LUniv}{c : Choice} 

(P P’: Process oo {lu} c) 

—» (P HI P’) Cfdi 2 ros (fmap swapx ( P’ ||| P)) 

WbisimFdi 2 111’ P P’ l X x\ = bisimRefusalros ( P ||| P’) 

(fmap swapx (P’ ||| P)) 

(S\N\\\ P P’) l X x i 

WbisimFdi 3 111’ : {lu : LUniv}{c : Choice} 

(P P’ : Process oo {lu} c ) 

—» (P HI P’) Cfdi 3 (fmap swapx (P’ ||| P)) 

WbisimFdi 3 111' P P’= bisimlmFDI 3 

{P HI P’) (fmap swapx ( P’ ||| P)) (SW||| P P’) 


--(SEND 


--@BEGIN@SymIntBisimWbisimFditwoR 

WbisimFdi 2 111r : {lu : LUniv}{c : Choice} 

(P P ’: Process oo {lu} c) 

—>• (fmap swapx ( P’ ||| P)) Cfdi 2 ros (PHI P’) 

WbisimFdi 2 111r P P’ l X x\ = bisimRefusalros (fmap swapx ( P’ ||| P)) 

(phi p ) 

(SW|1 1 r P P’) I X 


WbisimFdi 3 111r : {lu : LUniv}{c : Choice} 

(P P ’: Process oo {lu} c ) 

—>■ (fmap swapx (P’ |j| P))Cfdi 3 (P ||| P’) 

WbisimFdi 3 111r P P’ = bisimlmFDI 3 

(fmap swapx (. P’ ||| P)) (P ||| P’) (SW|||r P P’) 


--(SEND 


--(SBEGINQSymlntBisimWbisimFdiR 


a 


o 
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WbisimFdi11 1 r : {lu : LUniv}{c : Choice}(P P ’: Process oo { lu } c) 
—> (fmap swapx (P’ ||| P)) Cfdi (P ||j P’) 
WbisimFdij1 1 r P P’ = ((WbisimTraceEqFor|||r P P’ 

,, WbisimFdixlljr P P’) 

„ WbisimFdi 2 |||r P P ) 

„ WbisimFdi 3 111 r P P’ 


--(SEND 


--(SBEGINGSymlntBisimWbisimFdi 

WbisimFdi j j | : {lu : LUniv}{c : Choice}(P P’ : Process oo {lu} c ) 

—y (P HI P’) Cfdi (fmap swapx ( P’ ||| P)) 

WbisimFdij11 P P’ = (((WbisimTraceEqFor|||' P P’) 

„ (WbisimFdix j11’ P P’)) 

„ (WbisimFdi 2 j | j’ P P’)) 

„ (WbisimFdi 3 1 j j ’ P P’) 


--(SEND 


--(SBEGIN(SSymIntBisimWbisimFdiEq 

WbisimFdiEq|j | : {lu : LUniv}{/i/ : LUniv}{c : Choice} 

(P P ’: Process oo {lu} c ) 

—y (PHI P’) =fdi (fmap swapx ( P’ ||| P)) 

WbisimFdiEq 11 1 P P’ = (WbisimFdi1 11 P P’) ,, WbisimFdi1 11 r P P’ 


--(SEND 


- -(SBEGINGCoimnutelnterleaveTrace 

commute) | |Trace+ : {lu : LUniv}{c 0 Ci : Choice} 

(P : Process-)- oo {lu} c 0 ) 
(P’: Process-1- oo {lu} ci ) 


o 


-o 
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--(SEND 


—>■ (P IH++ P’) =+ (fmap+ swapx ( P’ ||)++ P )) 


--(SBEGINGCoimnutelnterleaveTraceProof 

commute)||Trace+ P P’= bisimTraceEqs+= (,P|||++ P’) 

(fmap+ swapx (P’ |||++ P)) 

(Clll +PP) 


--SEND 


--(SBEGINGCommutelnterleaveSF 

commute! | |SF+ : V u '■ LUniv}{co c\ : Choice} 

(P : Process-)- oo { lu } c 0 ) 

( P’: Process-1- oo {lu} C\ ) 

—> (P 1 1|-|—!- P’) =sf+ (fmap+ swapx ( P’ |||++ P)) 


--(SEND 


--(SBEGINGCommutelnterleaveSFProof 

commute) j |SF+ P P’ = bisimslmplies=sf+ (P |||++ P’) 

(fmap+ swapx ( P’ |||++ P)) 

(Clll +PP) 


--SEND 


- -(SBEGINGCommutelnterleaveFDI 

commute)||FDI+ : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process+ oo {lu} c 0 ) 

(P’: Process+ oo {lu} c\ ) 

—> (P |||++ P’) =fdi+ (fmap+ swapx (P’ |||++ P)) 


--(SEND 

--(SBEGINGCommutelnterleaveFDIProof 


a 
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commutej||FDI+ P P’ = bisimsImFdiEquiv (P |||++ P’) 

(fmap+ swapx ( P’ |||++ P)) 

(C|||+ P P’) 


—SEND 


A. 73 proofBisimSFFdiMonadicLaws.agda 


--@PREFIX@proofBisimSFFdiMonadicLaws 
-- was proofBisimlmpliesFdimonadicLaw 
{-# OPTIONS --allow-unsolved-metas #-} 
module proofBisimSFFdiMonadicLaws where 
-- was proofBisimSFFdiMonadicLaws.agda 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Sum 

mport auxData 

mport RefWithoutSize 

mport bisimilarity 

mport bisimSImpliesBisimw 

mport bisimilarityProofs 

mport bisimlmpliesTraceEquiv 

mport bisimlmpliesFDI 

mport fdiRefusal 

mport bisimlmpliesBisim 

mport bisimSym 

mport sequentialCompositionRev 

mport labelUniv 

mport bisimlmpliesFDIPartTwo 

mport bisimlmpliesTraceEquiv 

mport traceEquivalence renaming (_=_ to _=tr_; 

mport bisimwImpliesStableFailuresEquivalence 


_=+_ to _=tr+_) 


--@BEGIN@monadicLawones 


monadicLawiS : {lu : LUniv}{c 0 c\ : Choice} 


O- 


o 





(a : ChoiceSet cq) 

(P : ChoiceSet c 0 —> Process oo { lu } ci) 
—> Bisims (terminate a 3>= P) (P a) 
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--(SEND 

--(SBEGINGmonadicLawonesProof 
monadicLawiS a P = BismsRef (P a ) 


--(SEND 


- -@BEGIN(SmonadicLawone 

monadicLaw! : {lu : LUniv}{c 0 C\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} c\) 
—» Bisimw (terminate a 3>= P) (P a) 

--SEND 


- -@BEGIN(SmonadicLawoneProof 
monadicLawi a P = BismwRef (P a) 


--(SEND 


--(SBEGINGmonadicLawoneR 

monadicLawiR : {lu : LUniv} {c 0 c\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —>■ Process oo {lu} c\) 
—y Bisimw (P a) (terminate a ^>= P) 
monadicLawiR a P = BismwRef (P a ) 


--(SEND 


--(SBEGINGWbisimTraceEqForMonadone 


a 


o 
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WbisimTraceEqForMonadi : {lu : LUniv} {c 0 c\ : Choice} 

(a : ChoiceSet c 0 ) 

( P : ChoiceSet c 0 — > Process oo {lu} c\) 
> (P a) jZ (terminate a ^>= P) 
WbisimTraceEqForMonadi a P l m tr = bisimTraceEq (P a ) 

(terminate a 3>= P) 
(monadicLawx a P) l m tr 


--(SEND 


--@BEGIN@WbisimTraceEqForMonadoneR 

WbisimTraceEqForMonadir : {lu : LUniv}{c 0 Ci : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 — » Process oo {lu} ci) 
— > (terminate a 3 >= p ) E (P «) 
WbisimTraceEqForMonadir a P l m tr = bisimTraceEq 

(terminate a S>= p) (p «) 
(monadicLawiR a P) l m tr 


--(SEND 


- -@BEGIN(SWbisimFdioneMonadone 

WbisimFdiiMonadi : {lu : LUniv} {co ci : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} ci) 
—> (P a) Tfdii (terminate a S>= P) 
WbisimFdiiMonadi a P l x = bisimlmTrD ( P a ) 

(terminate a 3>= P) 
(monadicLawi a P) l x 


--(SEND 


- -<SBEGIN(SWbisimFdioneMonadoneR 

WbisimFdiiMonadir : {lu : LUniv}{c 0 ci : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet Co —>■ Process oo {lu} ci) 

o-o 
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WbisimFddMonadxr a P l x 


(terminate a S>= P) Cfdix (P a) 

= bisimlmTrD (terminate a 3>= P) 

(Pa) 

(monadicLawxR a P) l x 


--0END 


--@BEGIN@WbisimFditwoMonadone 

WbisimFdi 2 Monadx : {lu : LUniv}{c 0 c\ : Choice} 

(a : ChoiceSet Co) 

(P : ChoiceSet c 0 — > Process oo {lu} ex) 

—>• (P a) Cfdi 2 ros (terminate a 3>= P ) 

WbisimFdi 2 Monadx a P l X x = bisimRefusalros (P a ) 

(terminate a 3>= P) 

(monadicLawx a P) l X x 

WbisimFdi 3 Monadx : {lu : LUniv}{co ex : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —>■ Process oo {lu} cx) 

— y (P a ) Cfdi 3 (terminate a 3>= P) 

WbisimFdi, 3 Monadx a P = bisimlmFDI 3 (P a) (terminate a ^>= P) (monadicLawx a P ) 


--SEND 


--@BEGIN@WbisimFditwoMonadoneR 

WbisimFdi 2 Monadxr : {lu : LUniv}{c 0 Cx : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} cx) 

—» (terminate a 3>= P) Cfdi 2 ros (P a) 
WbisimFdi 2 Monadxr a P l X x = bisimRefusalros 

(terminate a 3>= P) 

(P a)(monadicl_awxR a P) l X x 


a 


o 




664 


A.73. proofBisimSFFdiMonadicLaws.agda 

o-o 


WbisimFdi 3 Monadir : {lu : LUniv}{co c 3 : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} ci) 

—» (terminate a 3>= P) Cfdi 3 (P a ) 

WbisimFdi, 3 Monadir a P = bisimlmFDI 3 (terminate a 3>= P ) (P a) (monadicLawiR a P) 


--(SEND 


--(SBEGINGWbisimFdiMonadone 

WbisimFdiMonadi : : LUniv}{c 0 c\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} c 3 ) 
— > (P a) Cfdi (terminate a 3>= P) 
WbisimFdiMonadi a P = (((WbisimTraceEqForMonadi a P) 

,, (WbisimFdiiMonadi a P)) 

,, (WbisimFdiMonadi a P )) 

,, WbisimFdiMonadi a P 


--(SEND 


- -@BEGIN(SWbisimFdiMonadoneR 

WbisimFdiMonadir : {Zu : LUniv}{c 0 ci : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet cq —> Process oo {lu} ci) 
—* (terminate a S>= P) Cfdi (P a) 

WbisimFdiMonadir a P = (((WbisimTraceEqForMonadir a P) 

,, (WbisimFdiiMonadir a P)) 

,, (WbisimFdiMonadir a P)) 

,, WbisimFdi 3 Monadir a P 


--(SEND 


--(SBEGINGWbisimFdiEqMonadone 

WbisimFdiEqMonadi : {lu : LUniv}{c 0 ci : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet cq —> Process oo {lu} c\) 


a 


-o 
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—> (terminate a 3>= P) =fdi (P a) 
WbisimFdiEqMonad! aP= (WbisimFdiMonad! a P) 

,, (WbisimFdiMonadir a P) 


--(SEND 


mutual 

--@BEGIN(SmonadicLawthreeInf 

monadicLawi_ 3 oo : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Processoo oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —> Process oo {lu} ci) 

( R : ChoiceSet ci — Process oo {lu} c 2 ) 

—» Bisimsoo ((P 3>=oo Q) 3>=oo R ) 

(P 3>=oo ( X x —> Q x 3>= R )) 


--(SEND 


--(SBEGIN(SmonadicLawthreeInfProof 

forceB (monadicLawi_ 3 oo P Q R) = monadicl_awi_ 3 (forcep P) Q R 

monadicLaw!_ 3 : {lu : LUniv}{c 0 c 3 c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet cq —>■ Process oo {lu} c 3 ) 

(R : ChoiceSet c 3 —>■ Process oo {lu} c 2 ) 

— y Bisims ((P S>= Q) 3>= R) 

(P »•= (X x —» Q x 3>= R)) 
monadicLaw!_ 3 (terminate x) Q R = 

BismsRef (((terminate x >= Q) »= R)) 
monadicLawi_ 3 (node x) Q R = eqnode (monadicLawi_ 3+ x Q R) 

monadicl_aw 1 _ 3+ : {lu : LUniv}{c 0 C\ c 2 : Choice} 

(P : Process-F oo {lu} c 0 ) 

( Q : ChoiceSet cq —> Process oo {lu} c 3 ) 


a 


o 
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( P : ChoiceSet c\ —> Process oo { lu } C 2 ) 

—> Bisims+ ((P 3>=+ Q) 3>=+ R ) 

(P »•=+ (X x -> Qa: S>= R )) 

bisim2E (monadicLawi_ 3+ P Q R) e = e 

bisimELab (monadicLawi_ 3 + P Q R) e = refl 

bisimENext (monadicLawi_ 3+ P Q R) e = 

monadicLaw !_300 (PE P e) Q R 
bisim2l (monadicLaw 1 __ 3+ P Q R) (injx (injx x )) = injx a: 

bisim2l (monadicLawx_ 3+ P Q R) (injx (inj 2 y )) = inj 2 y 

bisi m2l (monadicLawx_ 3 + PQR) (in j2 ()) 

bisimlNext (monadicLawx„ 3 + PQR ) (injx (injx x )) = 
monadicLawx_ 3 oo (PI P x) Q R 
bisimlNext (monadicl_awi_ 3+ PQR) (injx (inj 2 y)) = 
monadPT+ P Q R y 

bisimlNext 
bisim2T 
bisim2TEq 
bisim2Er 
bisimELabr 

bisimENextr (monadicl_awi_ 3+ PQR ) e = monadicLawcx) P Q R e 
bisim2lr (monadicLawx„ 3+ PQR ) (injx P) = injx (injx x) 

bisim2lr (monadicLawx_ 3+ PQR ) (inj 2 y) = injx (inj 2 y) 

bisimlNextr (monadicLawx_ 3 + PQR ) (injx = monadicLawx _300 (PI P x) Q R 
bisimlNextr (monadicl_awx_ 3 + PQR ) (inj 2 y) = 
monadPT+ P Q R y 

bisim2Tr (monadicLawi_ 3 + P Q R) e = e 

bisim2TEqr (monadicLawi_ 3 + PQR) 0 


(monadicLawx_ 

-3+ 

P 


R) 

(inj 2 

0) 

(monadicLawx_ 

-3+ 

P 

Q 

R) 

0 


(monadicLawx_ 

-3+ 

P 

Q 

R) 

0 


(monadicLawx- 

-3+ 

P 

Q 

R) 

e = 

e 

(monadicLawx- 

-3+ 

P 

Q 

R) 

e = 

refl 


-@END 


--@BEGIN@monadPTplus 


monadPT+ : {lu : LUniv}{c 0 C\ c 2 : Choice} 

(P : Process+ 00 {lu} c 0 ) 

(Q : ChoiceSet Co —* Process 00 {/n} ex) 

—> (R : ChoiceSet ex — > Process 00 {lu} c 2 ) 

—» (y : ChoiceSet (T P)) 

—> Bisimsoo ((PI (P 3>=+ Q) (inj 2 a/) 3>=oo P)) 
(PI (P >=+ (X x -> <5 x >= P)) (inj 2 a/)) 
forceB (monadPT+ P Q R y) = BismsRef (Q (PT P y) S>= P) 


O- 


-o 
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--(SEND 


--(SBEGINGmonadicLawinf 

monadicLawoo : {lu : LUniv}{c 0 C\ c 2 : Choice} 

(P : Process-)- oo { lu } c 0 ) 

(Q : ChoiceSet c 0 — > Process oo {lu} ci) 
(R : ChoiceSet c\ —y Process oo {lu} c 2 ) 
—)■ (x : ChoiceSet (E P )) 

—)■ Bisimsoo (((PE P x 3>=oo Q ) 3>=oo R)) 
((PE P x 3>=oo (X x —> Q x 3>= A))) 
monadicLawoo P Q R x = monadicLaw!_ 3 oo (PE P x) Q R 


--(SEND 


- -@BEGIN(SmonadthreeSWplus 


monad 3 SW+ 


--0END 


{lu : LUniv}{co c\ c 2 : Choice} 

(P : Process-1- oo {lu} cq) 

( Q : ChoiceSet c 0 —> Process oo {lu} c 3 ) 

(R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

—> Bisimw+ {{P 3>=-|- Q ) 3>=-|- R ) 

(P 3>=-l- ( X x — y Q x S>= R )) 


- -@BEGIN(SmonadthreeSWplusProof 

monad 3 SW+ P Q R = bisimsToBismw-l- 

((P >=+ Q) »=+ R) 

{P 3>=+ (Xu- Q x 3>= R)) 
(monadicLaw 1 _ 3+ P Q R) 


--(SEND 


- -@BEGIN(SmonadthreeSW 

monad 3 SW : {lu : LUniv}{c 0 c 3 c 2 : Choice} 
(P : Process oo {lu} c 0 ) 


a 


o 
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(Q : ChoiceSet Co —>■ Process oo { lu} c\) 

(P : ChoiceSet c\ —>• Process oo {lu} c 2 ) 

—» Bisimw ((P 3 >= Q) 3 >= R ) 

(P »•= ( X a: —>• <5 x 3>= A )) 
monad 3 SW P Q R = bisimsToBismw ((P S>= <5) A>= P) 

(P 3>= (X a: —* Q x 3>= P)) 
(monadicLaw!^ P Q R) 


--(SEND 


- -@BEGIN(SmonadthreeSWplusr 

monad 3 SW+r : {lu : LUniv}{c 0 c 3 c 2 : Choice} 

(P : Process-1- oo {lu} c 0 ) 

(<5 : ChoiceSet Co —> Process oo {lu} c,\ ) 

(P : ChoiceSet c 3 —>• Process oo {lu} c 2 ) 

—» Bisimw+ (P 3>=+ ( X a; —* Q x »= «)) 
((P >=+ Q ) >=+ /-•■) 

monad 3 SW+r P Q R = BismwSym+ ((P 3>=+ Q ) 3>=+ P) 

(P 3>=+ (X x —* Q x S>= P)) 
(monad 3 SW+ P Q R) 


--(SEND 


- -@BEGIN(SmonadthreeSWr 

monad 3 SWr : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —>■ Process oo {lu} c 3 ) 

(P : ChoiceSet c\ —>• Process oo {/n} c 2 ) 

—» Bisimw (P 3>= ( X x — > Q x 3>= P )) 
((P >= Q) >= P) 

monad 3 SWr P Q R = BismwSym ((P 3>= Q) A>= P) 

(P 3>= (X x —y Q x S>= P)) 
(monad 3 SW P Q R) 


--(SEND 


--(SBEGINGWbisimTraceEqForMonadthree 


o 


-o 
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WbisimTraceEqForMonad .3 : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —>■ Process oo {lu} ci) 

( R : ChoiceSet c\ — > Process oo {lu} c 2 ) 

-)• ((P >= Q) >= P) E (P >= ( X x Q x >= P )) 

WbisimTraceEqForMonads P Q R l m tr = bisimTraceEq ((P 3>= (J) 3>= P) 

((P»= (A^Qs»= fi))) 

(monad 3 SW P Q R) l m tr 


--(SEND 


--(SBEGINGWbisimTraceEqForMonadthreer 

WbisimTraceEqForMonadsr : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

(Q : ChoiceSet c 0 — > Process oo {lu} c\) 

( R : ChoiceSet ci —> Process oo {lu} c 2 ) 

-► (P >= (X x -> Q x >= P)) E ((P >= Q) >= P) 
WbisimTraceEqForMonadsr P Q R l m tr = bisimTraceEq 

((P S>= (X x ^ Q x T>= P))) 

((P »= <?) ^>= P) (monad 3 SWr P Q R) l m tr 


--(SEND 


- -@BEGIN(SWbisimFdioneMonadthree 

WbisimFdiiMonad 3 : {lu : LUniv}{c 0 ci c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

(Q : ChoiceSet c 0 — > Process oo {lu} ci) 

(P : ChoiceSet ci —> Process oo {lu} c 2 ) 

((P »= Q) >= P) Efdii 
(P »= ( X x —» <5 ^ p>= p )) 
WbisimFdi 1 Monad 3 P Q R l x = bisimlmTrD ((P 3>= (J) 3>= P) 

(P T>= (X x\ —» Q x\ '>>= P)) 
(monad 3 SW P Q R) lx 


o 


-o 
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--0END 


--@BEGIN@WbisimFdioneMonadthreer 

WbisimFdi!Monad 3 r : {lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —> Process oo {lu} c \) 

( P : ChoiceSet c\ —> Process oo {lu} c 2 ) 

— * (P 3>= ( X x — » Q x 3>= R )) Cfdii 

((P »= Q) >= R) 

WbisimFdi 1 Monad 3 r P Q R l x = bisimlmTrD 

(P 3>= (X xi —> Q xi 3>= R)) 

((P 3>= Q) S>= P) (monad 3 SWr P Q R) lx 


--@END 


--@BEGIN@WbisimFditwoMonadthree 

WbisimFdi 2 Monad 3 : {lu : LUniv}{c 0 c 3 c 2 : Choice} 

(P : Process oo { lu} c 0 ) 

( Q : ChoiceSet c 0 — ¥ Process oo {lu} c 3 ) 

(R : ChoiceSet c\ —> Process oo {/n} c 2 ) 

-> ((P >= Q ) >= P) Cfdi 2 ros 

(P S>= ( X a; —» Q a: 3>= P )) 

WbisimFdi 2 Monad 3 P Q R l X x = bisimRefusalros 

((p >= g) »= p) 

(P S>= (X xi —» Q xi S>= P)) 
(monad 3 SW P Q R) l X x 

WbisimFdi, 3 Monad 3 : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —>• Process oo {lu} c 3 ) 

(P : ChoiceSet c\ —> Process oo {lu} c 2 ) 


o 


-o 
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—> ((P — Q) — P) tlfdi 3 

(P '>= ( X x —» Qa: 3>= A )) 
WbisimFdi 3 Monad 3 P Q R = bisimlmFDI 3 

((P >= Q) >= A) 

(P 7s>= ( X x —> Q a; 3>= P )) 
(monad 3 SW P Q R) 

--SEND 


--@BEGIN@WbisimFditwoMonadthreer 

WbisimFdi 2 Monad 3 r : : LUniv}{c 0 c 3 c 2 : Choice} 

(P : Process oo { lu } c 0 ) 

(<5 : ChoiceSet Co — * Process oo {/n} c 3 ) 
(P : ChoiceSet c 3 —> Process oo {lu} c 2 ) 
^(P >= (X x —^ Q x 3>= P)) ^fdi 2 ros 
((P >= Q) >= P) 

WbisimFdi 2 Monad 3 r P Q R l X x = bisimRefusalros 

(P »= (X xi —> Q xi S>= P)) 

((P >= Q) >= P) 

((monad 3 SWr P Q P)) l X x 


WbisimFdi, 3 Monad 3 r : {lu : LUniv}{c 0 C\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

(Q : ChoiceSet Co — > Process oo {lu} c\) 
(P : ChoiceSet c 3 —>• Process oo {/n} c 2 ) 

— * (P 3>= ( X x — » <5 x S>= P )) Cfdi 3 
((P >= Q) >= P) 

WbisimFdi 3 Monad 3 r P Q R = bisimlmFDI 3 

(P ~>= ( X x —» Q x 3>= P )) 
((P »= <?) >= P) 

(monad 3 SWr P Q R) 


--0END 


--@BEGIN@WbisimFdiMonadthree 
WbisimFdiMonad 3 : {lu : LUniv}{co c\ c 2 : Choice} 


a 


o 
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( P : Process oo { lu } Co) 

(Q : ChoiceSet c 0 —> Process oo {lu} ci) 
(P : ChoiceSet c\ — > Process oo {lu} c 2 ) 
((P »= Q ) >= R) Cfdi 

(P ^>= x ^ Q x ^>= R )) 

WbisimFdiMonad 3 P Q R = (((WbisimTraceEqForMonad 3 P Q R) 

,, (WbisimFdi!Monad 3 P Q R )) 

,, (WbisimFdi 2 Monad 3 P Q R )) 

,, WbisimFdi 3 Monad 3 P Q R 

--SEND 


--@BEGIN@WbisimFdiMonadthreer 

WbisimFdiMonad 3 r : {lu : LUniv}{co c\ c 2 : Choice} 

(P : Process oo {lu} cq) 

( Q : ChoiceSet Co —)• Process oo {lu} c 3 ) 

(R : ChoiceSet c\ —> Process oo {lu} c 2 ) 
—> (P P>= ( X x —> Q x 3>= R )) Cfdi 
((P >= Q) »= R) 

WbisimFdiMonad 3 r P Q R = (((WbisimTraceEqForMonad 3 r P Q R) 

,, (WbisimFdiiMonadsr P Q R )) 

,, (WbisimFdi 2 Monad, 3 r P Q R )) 

,, WbisimFdi 3 Monad 3 r P Q R 


--(SEND 


--@BEGIN@WbisimFdiEqMonadthree 

WbisimFdiEqMonad 3 : {/n : LUniv}{c 0 c.\ c 2 : Choice} 

(P : Process oo {lu} cq) 

(Q : ChoiceSet Co —> Process oo {lu} c \) 

(i? : ChoiceSet c 3 —> Process oo {lu} c 2 ) 

-> ((P >= Q ) >= P) =fdi (P»= P)) 

WbisimFdiEqMonad 3 P Q R = (WbisimFdiMonad, 3 P Q R) 

,, (WbisimFdiMonad 3 r P Q R) 


--(SEND 


o 


-o 
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--(SBEGINGmonadicLawOneTrace 

monadicLawxTrace : {lu : LUniv}{c 0 C\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} ci) 
—> (terminate a ^>= P ) =tr (P a) 

--(SEND 


--(SBEGIN(SmonadicLawOneTraceProof 
monadicLawxTrace a P = bisimTraceEq= 

(terminate a 3>= P) (P a) (monadicLaw! a P) 


--(SEND 


- -@BEGIN(SmonadicLawOneSF 

monadicl_awiSF+ : {lu : LUniv}{c 0 c\ : Choice} 

(a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —>■ Process oo {lu} ci) 

—» (terminate a 3>= P) =sf (P a) 


--(SEND 


--(SBEGINGmonadicLawOneSFProof 

monadicLawiSF+ a P = bisimwlmplies=sf 

(terminate a ^>= P) (P a ) (monadicLawi a P) 


--(SEND 


--(SBEGINGmonadicLawOneFDI 

monadicLawxFDI-l- : {lu : LUniv}{c 0 ci : Choice} 

(a : ChoiceSet c 0 ) 


a 


-o 
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(P : ChoiceSet Co —» Process oo {lu} ci) 
—» (terminate a 3>= P) =fdi (P a) 


--(SEND 


--(SBEGINGmonadicLawOneFDIProof 

monadicLaw 1 FDI+ a P = bisimFDIImpEq 

(terminate a 3>= P) (P a) (monadicLawx a P ) 


--(SEND 


--(SBEGINGmonadicLawThreeTrace 

monadicLaw 3 Trace+ : {lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process+ 00 {/n} c 0 ) 

(Q : ChoiceSet c 0 —>• Process 00 {/n} ci) 
(R : ChoiceSet ci —> Process 00 {lu} c 2 ) 
—> ((P 3>=+ Q) S>=+ F) =tr+ 

(F »=+ ( X x —* Q x 3>= R )) 


--(SEND 

--(SBEGINGmonadicLawThreeTraceProof 

monadicLaw 3 Trace+ P Q R = bisimTraceEqs+= 

((P »=+ Q) >=+ R) 

(F 3>=+ ( X x —> x S>= F )) 

(monadicl_aw 1 _ 3+ P Q R) 

--(SEND 


--(SBEGINGmonadicLawThreeSF 

monadicl_aw 3 SF+ {lu : LUniv}{c 0 ci C 2 : Choice} 

(P : Process+ 00 {lu} c 0 ) 

(<5 : ChoiceSet c 0 — >• Process 00 {lu} ci) 
(R : ChoiceSet c\ —> Process 00 {lu} C 2 ) 


o 


-o 
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—> ((P 3>—+ Q) 3>—+ P) —sf+ 

(P ~>=+ ( X x —>• Q x A )) 


--0END 


--@BEGIN@monadicLawThreeSFProof 

monadicLaw 3 SF+ P Q R = bisimslmplies=sf+ 

((R »=+ Q) >=+ p) 

(P A>=+ ( X x —> Q x S>= P )) 
(monadicl_awi_ 3 _|_ P Q R) 


--0END 


--@BEGIN@monadicLawThreeFDI 

monadicl_aw 3 FDI+ : {hi : LUniv}{c 0 c 3 c 2 : Choice} 

(P : Process+ oo {/it} c 0 ) 

(Q : ChoiceSet Co —>■ Process oo { lu } ci) 
(P : ChoiceSet c\ —)■ Process oo {hz} c 2 ) 
—> ((P S>=+ (J) A >= + R ) =fdi+ 

(P S>=+ ( X x —» Q x 3>= P )) 


--SEND 

--@BEGIN@monadicLawThreeFDIProof 

monadicLaw 3 FDI+ P Q R = bisimsImFdiEquiv 

((P >=+ Q) »=+ P) 

(P >=+ ( X x —» Q x S>= P )) 
(monadicLawi_ 3+ P Q R) 


--0END 


A. 74 proofBisimSFFdiMonadicLaws2.agda 


--@PREFIX@proofBisimSFFdiMonadicLawsTwo 


o- 


o 
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module proofBisimSFFdiMonadicLaws2 where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Sum 

mport auxData 

mport RefWithoutSize 

mport bisimilarity 

mport bisimSImpliesBisimw 

mport bisimilarityProofs 

mport bisimlmpliesTraceEquiv 

mport bisimlmpliesFDI 

mport fdiRefusal 

mport bisimlmpliesBisim 

mport bisimSym 

mport sequentialCompositionRev 
mport labelllniv 
mport bisimlmpliesFDIPartTwo 
mport bisimlmpliesTraceEquiv 

mport traceEquivalence renaming ( = to =tr ; _=+_ to _=tr+_) 

mport bisimwImpliesStableFailuresEquivalence 

mport dataAuxFunction 

mport Data.Unit 

mport Data.Empty 


mutual 

--@BEGIN@NoTicks 

record NoTicksoo {i : Size} 

{lu : LUniv}{c : Choice} 

(P : Processoo oo {lu} c ) : Set where 

coinductive 

field 

forceNT : {j : Size< NoTicks {j} (forcep P {CX)» 

NoTicks : {i : Size} 

{lu : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 


a 


-o 
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—y Set 

NoTicks (terminate x) = T 
NoTicks (node P ) = NoTicks+ P 

record NoTicks+ {z : Size} 

{lu : LUniv}{c : Choice} 

(P : Process+ oo {lu} c ) : Set where 

coinductive 

field 

noT : -i (ChoiceSet (T P)) 

nextE : (extl : ChoiceSet (E P)) —» NoTicksoo (PE P extl) 
nextl : ( inti : ChoiceSet (I P)) —y NoTicksoo (PI P inti) 


--SEND 

open NoTicksoo public 
open NoTicks+ public 

mutual 

--@BEGIN@proofMonadicLawTwo 

monadicl_aw 2 oo : {i : Size}{/^ : LUniv}{c : Choice} 

(P : Processoo oo {lu} c ) 

(noticks : NoTicksoo {z} P) 

—y Bisimsoo {*} (?>=oo terminate) P 
forceB (monadicLaw 2 oo {z} {lu} {c} P noticks) {j} = 

monadicl_aw 2 {j} (forcep P {oo}) (forceNT noticks {}}) 


monadicLaw 2 : {i : Size}{/« : LUniv}{c : Choice} 

(P : Process oo {lu} c) 

(noticks : NoTicks {z} P) 

—y Bisims {z} (P 3>= terminate) P 
monadicLaw 2 {z} (terminate x) noticks = eqterminate 

monadicl_aw 2 {z} (node P) noticks = eqnode (monadicl_aw 2 + {z} P noticks) 

monadicl_aw 2 + : {z : Size}{£u : LUniv}{c : Choice} 

(P : Process+ oo {lu} c) 

( noticks : NoTicks+ {z} P) 

—y Bisims+ {z} (P 3>=+ terminate) P 
bisim2E (monadicLaw 2 + P noticks) e = e 


a 


-o 
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bisimELab (monadicLaw 2 + P noticks) e = refl 

bisimENext (monadicLaw 2 + P noticks) e = monadicl_aw 2 oo (PE P e) (nextE noticks e) 

bisi m21 (monadicl_aw 2 + P noticks) (inji inti) = inti 

bisim2l (monadicLaw 2 + P noticks) (inj 2 t) = _L-elim (noT noticks t) 

bisimlNext (monadicLaw 2 + P noticks) (inji inti) = monadicLaw 2 oo (PI P inti) (nextl noti 

bisimlNext (monadicLaw 2 + P noticks) (inj 2 t) = _L-elim (noT noticks t) 

bisim2T (monadicLaw 2 + P noticks) () 

bisim2TEq (monadicLaw 2 + P noticks) () 

bisim2Er (monadicLaw 2 + P noticks) e = e 

bisimELabr (monadicl_aw 2 + P noticks) e = refl 

bisimENextr (monadicLaw 2 + P noticks) e = monadicl_aw 2 oo (PE P e) (nextE noticks e) 
bisim2lr (monadicl_aw 2 + P noticks) inti = inji inti 
bisimlNextr (monadicLaw 2 + {z} P noticks) inti 

= monadicLaw 2 oo {z} (PI P inti) (nextl noticks inti) 
bisim2Tr (monadicLaw 2 + P noticks) t = _L-elim (noT noticks t) 
bisim2TEqr (monadicLaw 2 + P noticks) t = _L-elim (noT noticks t) 


--@END 


A. 75 proofCommutativeExtermalChoice.agda 


--@PREFIX@proofCommutativeExtermalChoice 
--old: proofBisimlmpliesComExtermalChoice 
--old: proofBisimlmpliesSymExtermalChoice 

module proofCommutativeExtermalChoice where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport choiceSetU 
mport Size 

mport Relation. Binary. Propositional Equality 

mport Data.Sum 

mport renamingResult 

mport lemFmap 

mport auxData 

mport RefWithoutSize 

mport bisimilarity 

mport bisimSImpliesBisimw 

mport bisimilarityProofs 


-o 
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open import bisimlmpliesTraceEquiv 

open import bisimLemFmap 

open import bisimlmpliesFDI 

open import fdiRefusal 

open import bisimlmpliesBisim 

open import externalChoice 

open import addTick 

open import labelllniv 

open import bisimlmpliesFDIPartTwo 

open import bisimlmpliesTraceEquiv 

open import traceEquivalence 

open import bisimwImpliesStableFailuresEquivalence 

mutual 

--@BEGIN@ExtBisim 

Cd++ : {lu : LUniv}{c 0 c\ : Choice} (P : Process+ oo { lu } c 0 ) 

(Q : Process+ oo {lu} c\ ) 

—y Bisims-P (P □++ Q ) (fmap+ swapl±l ( Q □++ P)) 


--(SEND 


--@BEGIN@ExtBisimProof 

bisim2E (CQ++ P Q ) (inji x) = inj 2 x 

bisim2E (CD++ P Q) (inj 2 y) = inji y 

bisimELab (CD++ P Q ) (injx x ) = refl 

bisimELab (CD++ P Q ) (inj 2 y) = refl 

bisimENext (CD++ P Q ) (injx x ) = 

lemBisimFmapoo inj 2 swapl±) (PE P x) 
bisimENext (Cd++ P Q ) (inj 2 y) = 

lemBisimFmapoo injx swapl±) (PE Q y) 
bisim2l (Cn++ P Q) (injx x) = inj 2 x 

bisi m21 (CD++ P Q) (inj 2 y) = injx y 

bisimlNext (Cn++ {lu } P Q ) (injx x) = 

Cdoo-P-P {lu = lu} (PI P x) Q 
bisimlNext (Cd-P-P {lu} P Q ) (inj 2 y) = 

Cn+oo+ {lu = lu} P (PI Q y) 
bisim2T (Cd-P-P P Q ) (injx x) = inj 2 x 

bisim2T (Cd++ P Q) (inj 2 y) = injx y 


CP 


o 
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bisim2TEq (Cd-P-P P Q ) (inji x) = refl 

bisim2TEq (Cd-p-p P Q ) (inj 2 y) = refl 

bisim2Er (Cd-p-p P Q) (inji x) = inj 2 x 

bisim2Er (Cd-p+ P Q) (inj 2 y) = inji y 

bisimELabr (Cd++ P Q ) (inji x) = refl 

bisimELabr (Cd-p-p P Q ) (inj 2 y) = refl 

bisimENextr (Cd++ P Q) (inji x) = 

lemBisimFmapoo inj x swaptt) (PE Q x) 
bisimENextr (Cd-p-p P Q ) (inj 2 y) = 

lemBisimFmapoo inj 2 swaptt) (PE P y) 
bisim2lr (Cn++ P Q) (inji x) = inj 2 x 

bisim2lr (CD++ P Q) (inj 2 y) = inji V 

bisimlNextr (Cn++ P Q ) (inji x) = 

Cn+oo+ P (PI Q x) 
bisimlNextr ((!□++ P Q ) (inj 2 y) = 

CDoo++ (PI P y) Q 

bisim2Tr (CD++ P Q) (inji x) = inj 2 x 

bisim2Tr (CD++ P Q) (inj 2 y) = inji V 

bisim2TEqr (Cn++ P Q) (inji x) = re fl 

bisim2TEqr (CD++ P Q ) (inj 2 y) = refl 


--(SEND 


Cn+oo-F : {lu : LUniv}{c 0 C\ : Choice} 

—> (P : Process-F oo {lu} cq) 

—> (Q : Processoo oo {lu} ci) 

—> Bisimsoo (P D+oo-F Q) (fmapoo swaptt) (Q noo-F+ P )) 
forceB (Cd+oo-F P Q) = eqnode (Cd+p+ P (forcep Q)) 


Cd+p+ : {lu : LUniv}{c 0 ci : Choice} 

—v (P : Process-F oo {lu} Co) 

— t (Q : Process oo {lu} ci) 

—>■ Bisims-F (P d+p+ Q) (fmap+ swaptt) (Q dp++ P)) 

Cd+p+ P (terminate x) = addTimeFmapBisimLemma-F inj 2 swaptt) P (inji x) 
Cd+p+ P (node Q) = Cd++ P Q 


Cdoo++ : {lu : LUniv}{c 0 ci : Choice} 
—> (P : Processoo oo {lu} c 0 ) 


a 


-o 
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-> (Q : Process+ oo {lu} c \) 

—> Bisimsoo (P Doo++ Q ) (fmapoo swaptfcl (Q D+oo+ P )) 
forceB (CDoo++ P Q) = eqnode (CDp++ (forcep P) Q ) 


CDp++ : {lu : LUniv}{c 0 c\ : Choice} 

—)• (P : Process oo {lu} c 0 ) 

—>■ (Q : Process+ oo {lu} C\) 

—> Bisims+ (P Dp++ Q ) (fmap+ swapl±l (Q Q+p+ P)) 

CDp++ (terminate x) Q = addTimeFmapBisimLemma+ inji swapl±) Q (inj 2 x) 
CDp++ (node P) Q = Cd++ P Q 


- -@BEGIN@ComExtBisim 

SWD+ : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process+ oo {lu} c 0 ) 

( Q : Process+ oo {lu} ci) 

—y Bisimw+ (P □++ Q ) (fmap+ swaptfcl (Q □++ P )) 


--(SEND 


--@BEGIN@ComExtBisimProof 

SWD+ P Q = bisimsToBismw+ (P □++ Q ) 

(fmap+ swaptfcl (Q □+-1- P)) (CD+-1- P Q ) 


--(SEND 


- -(SBEGINGComExtBisimR 

SWD+r : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process-1- oo {lu} c 0 ) 

(Q : Process-1- oo {lu} ci) 

—y Bisimw-P (fmap-P swaptfcl (Q □++ P)) ( P □++ Q) 
SWD+r P Q = BismwSym+ (P □++ Q) 

(fmap+ swaptfcl (Q □++ P)) (SWD+ P Q ) 


--(SEND 


a 


-o 
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--(SBEGINGWbisimTraceEqForComExtBisim 

WbisimTraceEqForD-P : {lu : LUniv}{c : Choice} 

( P P’ : Process+ oo {lu} c ) 

—* (P □++ P’) C+ (fmap+ swaptfcl ( P ’ □++ P)) 
WbisimTraceEqForD-P P P’ l m tr = bisimTraceEq-F (P □++ P’) 

(fmap+ swapW (P’ □++ P )) 
(SWd-F P P’) l m tr 


--SEND 


--(SBEGINGWbisimTraceEqForComExtBisimR 

WbisimTraceEqForD+r : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c) 

—* (fmap+ swaptfcl (P’ □++ P )) D+ (P □++ P’) 
WbisimTraceEqForD+r P P’ l m tr = bisimTraceEq+ 

(fmap+ swapl±) (P’ □++ P)) 

(P D++ P’) 

(SWD+r P P’) l m tr 


--(SEND 


--(SBEGINGWbisimFdioneComExtBisim 

WbisimFdi 1 D+ : {lu : LUniv}{c : Choice} 

(P P ’: Process+ oo {lu} c ) 

—> [P D++ P’) Dfdii+ (fmap+ swaptfcl (P’ D++ P)) 
WbisimFdiiD+ P P’ l x = bisimlmTrD-P 

{P □++ P’) 

(fmap-P swaptfcl (P’ D++ P)) 

(SWD+ P P’)lx 

--(SEND 

--(SBEGINGWbisimFdioneComExtBisimR 
WbisimFdiiD+r : {lu : LUniv}{c : Choice} 


o 


-o 
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(P P’ : Process+ oo { lu } c) 

—y (fmap+ swapttl (P’ □++ P)) Cfddd- (P □++ P’) 
WbisimFddD+r P P’ l x = bisimlmTrD+ 

(fmap+ swaptt) (P’ □++ P)) 

{P □++ P’) 

(SWD+r P P’) lx 

--SEND 


--@BEGIN@WbisimFditwoComExtBisim 

WbisimFdi 2 D+ : {lu : LUniv}{c : Choice} 

(P P ’: Process+ oo {lu} c ) 

—> (P □++ P’) Dfdi 2 ros+ (fmap+ swapl±l (P’ □++ P)) 

WbisimFdi 2 D+ P P’ l X x i = bisimRefusalros+ 

(P □++ P ’) 

(fmap+ swapW (P ; □++ P)) 

(SWD+ PPO IX x i 


WbisimFdi 3 D+ : {/it : LUniv}{c : Choice} 

(P P ’: Process+ oo {/it} c) 

-4- (P □++ P’) Dfdi 3 + (fmap+ swapl±) (P’ □++ P)) 
WbisimFdi 3 D+ P P’ = bisimlmFDI 3 + 

(p cm —f p’) 

(fmap+ swaptfcl (P’ □++ P)) 

(SWD+ P PO 


--0END 


--@BEGIN@WbisimFditwoComExtBisimR 

WbisimFdi 2 D+r : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c ) 

—» (fmap+ swapl+J (P’ □++ P)) Dfdi 2 ros+ (P □++ P’) 
WbisimFdi 2 D+r P P’ l X x\ = bisimRefusalros+ 

(fmap+ swapW (P ; □++ P)) 

(P □++ Po 
(SWD+r P P’) / A x'j 


a 


o 
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WbisimFdi 3 D+r : {lu : LUniv}{c : Choice} 

( P P ’: Process+ oo {lu} c ) 

—> (fmap+ swaptbl ( P’ n++ P)) nfdi 3 + (P n++ P ’) 
WbisimFdi, 3 D+r P P’ = bisimlmFDI 3 + 

(fmap+ swaptb) ( P’ □++ P)) 

(.P □++ P’) 

(SWD+r P P’) 


--(SEND 


--@BEGIN@WbisimFdiComExtBisimR 

WbisimFdin+r : {lu : LUniv}{c : Choice} 

(P P ’: Process-F oo {lu} c ) 

—> (fmap+ swapW (P ; □++ P)) Cfdi+ (P □++ P’) 
WbisimFdiD+r P P’ = ((WbisimTraceEqForD+r P P’ 

„ WbisimFdin+r P P’) 

,, WbisimFdi 2 n+r P P’) 

,, WbisimFdi 3 n+r P P’ 


--(SEND 


--(SBEGIN(SWbisimFdiComExtBisim 

WbisimFdin+ : {lu : LUniv}{c : Choice} 

(P P’ : Process+ oo {lu} c ) 

—>• (P □++ P’) nfdi+ (fmap+ swapttl (P’ n++ P)) 
WbisimFdin+ P P’ = (((WbisimTraceEqForn+ P P’) 

,, (WbisimFdiin+ P P’)) 

,, (WbisimFdi 2 n+ P P’)) 

,, WbisimFdi 3 n+ P P’ 


--(SEND 


--(SBEGIN(SWbisimFdiComExtBisimTwoPart 


o 


-o 
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WbisimFdiEqD-P : {lu : LUniv}{c : Choice} 

(P P’ : Process-F oo {lu} c ) 

—>• (P □++ P’) =fdi+ (frnap-F swapl±l ( P’ □++ P)) 
WbisimFdiEqD-P P P’ = (WbisimFdiD-P P P’) ,, WbisimFdiD+r P P’ 


--(SEND 


--(SBEGINGCommuteExtChWeakBisim 

commuteExtChWeakBisim+ : {lu : LUniv}{co c\ : Choice} 

(P : Process+ oo {lu} cq) 

(P’ : Process-P oo {lu} c\ ) 

—* Bisimw+ (P □++ P’) (fmap-P swapl±) (P’ □++ P)) 
commuteExtChWeakBisim+ P P’ = bisimsToBismw-p (P □++ P’) 

(fmap+ swaptbl (P’ □++ P)) 

(CD++ PP ’) 


--(SEND 


--(SBEGINGCommuteExtChTrace 

commuteExtChTrace+ : {lu : LUniv}{co C\ : Choice} 

(P : Process-F oo {lu} c 0 ) 

(P’ : Process-F oo {lu} C\ ) 

—> (P □++ P’) =+ (fmap-F swaptfcl (P ; □++ P)) 


--(SEND 


- -(SBEGINGCommuteExtChTraceProof 

commuteExtChTrace-P PP' = bisimTraceEqs+= (P □++ P’) 

(fmap+ swapl±) (P’ □++ P)) 

(CD++ P P’) 


--(SEND 


- -(SBEGINfSCommuteExtChSF 
commuteExtChSF-F : {fot : LUniv}{co c\ : Choice} 


a 


o 
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( P : Process+ oo { lu } Co) 

(P ’: Process-P oo {lu} ci ) 

—> (P □++ P ’) =sf+ (fmap+ swaptt) ( P ’ □++ P )) 

--(SEND 


- -(SBEGINOCommuteExtChSFProof 

commuteExtChSF+ P P’ = bisimslmplies=sf+ (P □++ P’) 

(fmap-l- swaptt) (P’ □++ P)) 

(CD++ PP’) 


--(SEND 


- -@BEGIN(SCommuteExtChFDI 

commuteExtChFDI-l- : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process-1- oo {lu} c 0 ) 

(P’ : Process-P oo {lu} c\ ) 

—> ( P □++ P’) =fdi+ (fmap-P swaptt) ( P’ □++ P)) 


--(SEND 


- -(SBEGINGCommuteExtChFDIProof 

commuteExtChFDI-P P P’ — bisimsImFdiEquiv (P □++ P’) 

(fmap-P swaptt) (P ; □++ P)) 

(CD++ PP’) 


--(SEND 


A. 76 proofEqforParSym.agda 


--(SPREFIXGmainproofEqf orParSym 
module proofEqforParSym where 
open import process 


o 


-o 
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open import Size 

open import choiceSetU 

open import renamingResult 

open import lemFmap 

open import Data.Product 

open import labelUniv 

open import parallelSimple 

open import Data.Bool 

open import traceEquivalence 

open import proofSymParPartone 

open import proofSymParR 


--@BEGIN@Eqf orParSymDef 

=S[||]+ : {lu : LUniv}{co c\ : Choice} ( P : Process+ oo {lu} cq) 
(A B : Label lu —» Bool) 

(Q : Process+ oo {lu} C\ ) 

~>(P[A ]|| + [ B \ Q) =+ (fmap+ swapx ((Q [ 5]|| + [ A ] P))) 
=S[||]+ P A B Q = (S[||]+ PABQ) , (S[||]+R P A B Q) 


--(SEND 


A.TT proofEqforParSymTheoOnly.agda 


--(SPREFIXOmainproof Eqf orParSymTheoOnly 
module proofEqforParSymTheoOnly where 


open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport renamingResult 
mport lemFmap 
mport Data.Product 
mport labelUniv 
mport parallelSimple 
mport Data.Bool 


a 


-o 
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open import traceEquivalence 
open import proofSymParPartone 
open import proofSymParR 


--@BEGIN@EqforParSymDef 

=S[||]+ : {lu : LUniv}{c 0 cq : Choice} 

(P : Process+ oo {lu} c 0 ) 

{A B : Label lu —> Bool) 

(Q : Process+ oo {lu} ci) 

->• (P [ A ]|| + [ B ] Q) =+ (fmap+ swapx ((Q [ B ]|| + [ A ] P))) 

--@END 

=S[||]+ P A B Q = (S[||]+ PABQ ) , (S[||]+R P A B Q) 

A. 78 ProofLawsSeq.agda 


--GPREFIXGmainProofLawsSeq 
module ProofLawsSeq where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport Level 

mport choiceSetU 

mport auxData 

mport Data.Maybe 

mport Data.Product 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport labelUniv 

mport dataAuxFunction 

mport externalChoice 

mport sequentialCompositionRev 

mport renamingResult 

mport TraceWithoutSize 


-o 
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open import RefWithoutSize 
open import primitiveProcess 
open import traceEquivalence 
open import Data.Product 


lemTrTerminateBind : {lu : LUniv}(c : Choice)(P : Process+ oo { lu } c)(x : ChoiceSet (T P )) 

—» Troo [] (just (PT P x)) (PI (P >=+ terminate) (inj 2 x)) 
lemTrTerminateBind cPx= ter (PT P x) 

lemTrTerminateBind’ : {lu : LUniv}(c 0 C\ c 2 : Choice) 

(P : Process+ oo {lu} c 0 ) 

(Q : ChoiceSet c 0 —>■ Process oo ci) 

(R : ChoiceSet c\ —> Process oo c 2 ) 

(x : Fin 0) 

—» Troo [] (just (PT (_»=+_ P x i -> _S>=_ ( Q Xi) R)) x))(PI (_S>=+_ 

lemTrTerminateBind’ c P Q R x q () 


--©BEGIN®stopSeq 

stopSeq : {lu : LUniv}{co : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 — > Process oo {lu} c 0 ) 

->■ (STOP c 0 >= P) C STOP c 0 
stopSeq a P .[] .nothing (tnode empty) = tnode empty 
stopSeq a P .(efq _ :: l) m (tnode (extc l .m 0 zi)) 
stopSeq a P l m (tnode (intc .1 .m 0 Zi)) 
stopSeq a P .[] .(just (efq _)) (tnode (terc ())) 


--©END 


stopSeqr : {lu : LUniv}{co : Choice} (a : ChoiceSet c 0 ) 
(P : ChoiceSet c 0 — > Process oo {lu} Co) 

->■ STOP c 0 C (STOP c 0 »= P) 
stopSeqr a P .[] .nothing (tnode empty) = tnode empty 
stopSeqr a P .(efq „ :: /) m (tnode (extc l .m 0 ®i)) 


O- 


o 
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stopSeqr a P l m (tnode (intc .1 .m (inji ()) a*)) 
stopSeqr a P l m (tnode (intc .1 .m (inj 2 ()) ^i)) 
stopSeqr a P .[] .(just (PT (process-1- (fin 0) efq efq 

(fin 0) efq (fin 0) efq "STOP" 

»=+ P) _)) (tnode (terc ())) 


--@BEGIN@stopSeqEq 

=stopSeq : { lu : LUniv}{co : Choice} (a : ChoiceSet Co) 

( P : ChoiceSet Co —> Process oo {lu} Co) 

STOP c 0 {lu} = (STOP c 0 {lu} >= P) 
=stopSeq a P = (stopSeqr a P) , (stopSeq a P) 


--@END 


--OBEGINOunitSeqL 

unitSeqL : {lu : LUniv}{c 0 c.\ : Choice} (a : ChoiceSet c 0 ) 

( P : ChoiceSet Co —> Process oo {lu} c\) 

—> (terminate a 3>= P) C P a 
unitSeqL a P l m q = q 


--(SEND 


unitSeqLr : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 )(P : ChoiceSet 

—:> P a □ (terminate a ^>= P) 
unitSeqLr {lu} {cq} {ci} a P l m q = q 


--@BEGIN@unitSeqLEq 

=unitSeq : {lu : LUniv}{co : Choice} (a : ChoiceSet cq) 


a 


-o 
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(P : ChoiceSet Co —> Process oo { lu } c 0 ) 
-+ P a = (terminate a 3>= P) 
=unitSeq a P = (unitSeqL a P) , unitSeqLr a P 


--0END 


lemTrTerminateBind” : {lu : LUniv}(c : Choice)(P : Process+ oo {lu} c) (x : Fin 0) 

-+ Tr+ {lu} [] (just (PT (P ^>=+ terminate) x )) P 
lemTrTerminateBind” c P () 


lemtr+trterminate : {lu : LUniv}(c 0 : Choice) (m : Maybe (ChoiceSet c 0 )) — > ( P : Process+ oo {lu 

(y : ChoiceSet (T P)) —» ( traux : Tr {lu} {co} l m (terminate (PT P y))) — > Ti 
lemtr+trterminate c 0 .(just (PT P y )) P .[] y (ter .(PT P y)) = terc y 
lemtr+trterminate c 0 .nothing P .[] y (empty .(PT P y)) = empty 


mutual 


unitSeqR : {lu : LUniv}{c 0 : Choice} (P : Process oo {lu} cq) 
~>(P 3>= terminate) □ P 
unitSeqR (terminate x) l m q = q 

unitSeqR (node x) l m (tnode q) = tnode (unitSeqR + x l m q) 

- -@BEGIN@unitSeqR 

unitSeqR + : {lu : LUniv}{co : Choice} (P : Process+ oo {lu} co) 
~+{P 3>=+ terminate) □+ P 
unitSeqR + P .[] .nothing empty 

= empty 

unitSeqR + P .(Lab P x :: l) m (extc l .m x x\) 

= extc l m x (unitSeqRoo (PE P x) l m x\) 
unitSeqR + P l m (intc .1 .m x x i) 

= intc l m (injx x) (unitSeqRoo (PI P x) l m xi) 
unitSeqR + {lu} {c 0 } P .[] .(just (PT P x)) (terc x) = 


a 


-o 
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intc [] (just (PT P x)) (inj 2 x ) 

(lemTrTerminateBind c 0 P x) 


--(SEND 


unitSeqRcx) : {lu : LUniv}{co : Choice} (P : Processoo oo { lu } c 0 ) 
~+(P C>=oc terminate) Coo P 
unitSeqRoo P l m q = unitSeqR (forcep P) l m q 


mutual 

unitSeq 2 r : {lu : LUniv}{c 0 : Choice} (P : Process oo {lu} Co) 

—:> P C (P 3>= terminate) 
unitSeq 2 r {lu} {c 0 } (terminate x) l m x\ = X\ 

unitSeq 2 r {lu} {co} (node x) l m (tnode tr ) = tnode (unitSeq 2 r + x l m tr) 

unitSeq 2 r + : {lu : LUniv}{c 0 : Choice} (P : Process-1- oo {lu} cq) 

—y P C+ ( P 3>=+ terminate) 

unitSeq 2 r + P .[] .nothing (empty {P = ,(P>=+ terminate)}) = empty 

unitSeq 2 r + {lu} P .(Lab P x :: l) m (extc {P = .(P ^>=+ terminate)} l .m x £i) = extc l m 

unitSeq 2 r + {lu} {co} P l m (intc {P = .(_3>=+_ {oo} {lu} {co} {c 0 } P terminate)} .1 .m (i 

intc l r 

unitSeq 2 r + {lu}{c 0 } P l m (intc {P = ,(_ 3 >=+_ {oo} {^}{c 0 } {c 0 } P terminate)} .1 .m (in 
let 

s : Set 

s = Tr {lu} {c 0 } l m (forcep (PI (_3>=+_ {oo} {lu} {c 0 } {c 0 } P terminate^ 


traux : Tr {lu} {c 0 } l m (terminate (PT P y)) 

traux = X\ 

in lemtr+trterminate Co m P l y traux 

unitSeq 2 r + {lu} {c 0 } P .[] .(just (PT (P 3>=+ terminate) x)) (terc {P = .(P S>=+ terminat 

unitSeq 2 roo : {lu : LUniv}{c 0 : Choice} (P : Processoo oo {lu} c 0 ) 

—> P Coo (P 3>=oo terminate) 
unitSeq 2 roo {lu} {c 0 } P l m x = unitSeq 2 r (forcep P {oo}) l m x 


--@BEGIN@unitSeqREq 


o 


-o 
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=unitSeq 2 : {lu : LUniv}{c 0 C\ : Choice} (P : Process oo { lu } c 0 ) 

—» P = (P ^>= terminate) 
=unitSeq 2 {lu} {c 0 } {ci} P = (unitSeq 2 r P) , (unitSeqR P) 


--SEND 


mutual 


assSeq : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process oo {lu} cq) 

( Q : ChoiceSet c 0 —> Process oo {lu} ci) 

(R : ChoiceSet tq —y Process oo {/«} c 2 ) 

-a ((P >= Q) >= P) E (P >= ( X x -a Q x >= P )) 
assSeq {lu} {co} {ci} {c 2 } (terminate x) Q R l m q = q 

assSeq { lu} {cq} {ci} {c 2 } (node x ) Q R l m (tnode q) = tnode (assSeqi_ 3+ x Q R l m q) 


--OBEGINOassSeq 

assSeqi_ 3+ : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process-h oo {lu} c 0 ) 
(Q : ChoiceSet cq —> Process oo {lu} ci) 

(P : ChoiceSet ci -A Process oo {lu} c 2 ) 

-a ((P A>=+ Q) ^>=+ P) 

Ed - (P P>=A ( X x —y Q x 3>= P )) 
assSeqi_ 3+ P Q R .[] .nothing empty = empty 
assSeqi_ 3+ P Q R .(Lab P x :: l) m (extc l .m x x\) 

= extc l m x (assSeq+pp P Q R l x m x i) 
assSeqi„ 3+ P Q R l m (intc .1 .m (inji x) x t ) 

= intc l m (injx (inj x x)) 

(assSeqoopp (PI P x) Q R l m xi) 
assSeqi_ 3+ P Q R l m (intc .1 .m (inj 2 y) x\) 

= intc l m (inji (inj 2 y )) 

(assPT+pp P Q R y l m Xi) 
assSeqi_ 3+ {lu} {c 0 } {ci} {c 2 } P Q R .[] 

.(just (PT (P 3>=+ (X x —* Q x S>= P)) x)) 

(terc x) = intc [] (just (PT (_^>=+_ 

P (X x± —» »= (Q x\) P)) x)) 

(inj 2 x) (lemTrTerminateBind' c 0 ci c 2 P Q R x) 


--(SEND 


o- 


o 
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A.78. ProofLawsSeq.agda 
o-o 


assSeqoopp : {lu : LUniv}{c 0 Ci c 2 : Choice} (P : Processoo oo { lu} c 0 ) 

(Q : ChoiceSet c 0 —> Process oo {lu} c\) 

(R : ChoiceSet c\ —>• Process oo {lu} c 2 ) 

->((p 3>=oo Q ) 3>=oo R) Coo (P ^>=00 ( X x —* <5 x T>= A )) 

assSeqoopp {/n}{co} {ci} {c 2 } P Q R l m q = assSeq (forcep P) Q R l m q 


assPT+pp : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ 00 {lu} c 0 )(Q : ChoiceSet c 0 —>• F 
—> (R : ChoiceSet c\ —> Process 00 {lu} c- 2 ) 

—> ( y : ChoiceSet (T P)) 

—> (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—> (x : Troo l m (PI (P 3>=+ (X x — » Q x 3>= R )) ( in J 2 y))) 

—* Troo l m (PI (P 3>=+ Q) (inj 2 y) 3>=oo R) 

assPT+pp {lu} {c 0 } {ci} {c 2 } PQRylmtr=tr 


assSeq+pp : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process+ 00 {lu} c 0 ) 

(Q : ChoiceSet Co —> Process 00 {lu} c± ) 

(R : ChoiceSet c\ —>• Process 00 {lu} c 2 ) 

—» (l : List (Label lu)) 

—* (x : ChoiceSet (E P)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—» (x\ : Troo l m (_3>=oo_ (PE P x) (X x 2 — > _3>=_ ( Q x 2 ) i?))) 
—* Troo l m (_^=oo_ (_3>=oo_ (PE P x) Q) R) 

assSeq+pp PQRlxmtr= assSeq (forcep (PE Pi)) Q R l m tr 


mutual 

assSeqr : {lu : LUniv}{c 0 C\ c 2 : Choice} (P : Process 00 {lu} c 0 ) 

( Q : ChoiceSet Co — > Process 00 {lu} c\) 

( R : ChoiceSet c\ — ¥ Process 00 {lu} c 2 ) 

-»• {P >= ( X x Q x »= R )) □ ((P >= Q)^>=R) 

assSeqr (terminate x) Q R l m q = q 

assSeqr (node x) Q R l m (tnode q) = tnode (assSeq 1 „ 3+ r x Q R l m q) 


O 


o 
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A. Agda Code 

o-o 


assSeq!_ 3+ r : {lu : LUniv}{c 0 C\ c 2 : Choice} (P : Process+ oo {lu} c 0 ) 


( Q : ChoiceSet c 0 —> Process oo {lu} rq) 

(P : ChoiceSet c x —>■ Process oo {lu} c 2 ) 

— t (P 3>=+ ( X x —> Q X S>= P )) T + ((P ^>=+ (J) S>=+ A) 


assSeqi_ 

-3+r 

P 

Q 

R 

■[]■ 

nothing 

empty = empty 




assSeqx_ 

-3 + r 

P 

Q 

R 

■(Li 

ab Pi:: 

1) m (extc l .m x X\) 

1 = extc l m x (assSeq+ppr P Q R l x 

m Xi) 

assSeqx_ 

-3+r 

P 

Q 

R 

l m 

(intc .1 

■m (injx (injx x)) a*) 

= intc l m 

(injx x) (assSeqooppr (PI P 

x) Q R l 

assSeqx- 

-3+r 

P 

Q 

R 

l m 

(intc .1 

■m (injx (inj 2 y)) x x ) 

= intc l m 

(inj 2 y) (assPT+ppr P Q R 

y l m x x) 

assSeqx_ 

-3+r 

P 

Q 

R 

l m 

(intc .1 

■ m (inj 2 ()) zi) 




assSeqx_ 

-3+r 

P 

Q 

R 

■0 ■ 

(just (PT ((P»=+ Q) »= 

+ R) -)) (terc ()) 



assSeq+ppr : {lu : LUniv}{c 0 C\ c 2 : Choice} ( P : Process-1- oo {lu} c 0 ) 

(<5 : ChoiceSet Co —t Process oo {lu} c\) 

( P : ChoiceSet c\ — a- Process oo {fu} c 2 ) 

—a- ( l : List (Label lu)) 

— a- (x : ChoiceSet (E P)) 

— a- (m : Maybe (ChoiceSet c 2 )) 

—» (xi : Troo l m (_3>=oo_ (_3>=oo_ (PE P x) Q) R)) 

—» Troo l m (_3>=oo_ (PE P x) (X a; 2 —» ( Q x 2 ) R)) 

assSeq+ppr P Q R l x m x i = assSeqr (forcep (PE Pi)) Q R l m x i 

assSeqooppr : {lu : LUniv}{c 0 C\ c 2 : Choice} ( P : Processoo oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —a> Process oo {lu} ci) 

( R : ChoiceSet c\ —a- Process oo {lu} c 2 ) 

—> (P 3>=oo ( X x —)■ Qi 3>= P )) Too ((P 3>=oo Q) 3>=oo P) 

assSeqooppr {/n} {c 0 } {ci} {c 2 } P Q R l m q = assSeqr (forcep P) Q R l m q 


assPT+ppr : {lu : LUniv} {c 0 c\ c 2 : Choice}(P : Process-1- oo {lu} c 0 )(Q : ChoiceSet Co —>■ Process 
—>■ (P : ChoiceSet c\ —a- Process oo {lu} c 2 ) 

—* (y : ChoiceSet (T P)) 

—» (/ : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—» (x : Troo l m (PI (P 3>=+ Q) (inj 2 y) 3>=oo P)) 

—a- Troo l m (PI (P 3>=+ (Xi-f Q x A>= P)) (inj 2 y)) 

assPT+ppr {/n} {c 0 } {ci} {c 2 } PQRylmtr=tr 


o- 


o 
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o-o 


--@BEGIN@assSeqeQ 

=assSeq : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process oo { lu } c 0 ) 
(Q : ChoiceSet c 0 —> Process oo {lu} c\) 

—» ( R : ChoiceSet c\ —>• Process oo {/n} c 2 ) 

((P »= Q) >= P) = 

(P A>= ( X x —^ Q x 3>= P )) 

=assSeq P Q R = (assSeq P Q R) , (assSeqr P Q R) 


--(SEND 


A. 79 ProofLawsSeqTheoOnly.agda 


--@PREFIX@mainProofLawsSeqTheoOnly 
module ProofLawsSeqTheoOnly where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport Level 

mport choiceSetU 

mport auxData 

mport Data.Maybe 

mport Data.Product 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport labelUniv 

mport dataAuxFunction 

mport externalChoice 

mport sequentialCompositionRev 

mport renamingResult 

mport TraceWithoutSize 

mport RefWithoutSize 

mport primitiveProcess 

mport traceEquivalence 

mport Data.Product 


o 


-o 
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A. Agda Code 

o-o 


lemTrTerminateBind : {lu : LUniv}(c : Choice)(P : Process+ oo {lu } c)(x : ChoiceSet (T P )) 

—» Troo [] (just (PT P x)) (PI (P 3>=+ terminate) (inj 2 x)) 
lemTrTerminateBind cPx = ter (PT P x) 


lemTrTerminateBind’ 


lemTrTerminateBind’ 


{lu : LUniv}(c 0 Ci c 2 : Choice) 

(P : Process+ oo {lu} c 0 ) 

(Q : ChoiceSet c 0 —> Process oo ci) 

(R : ChoiceSet c\ —> Process oo c 2 ) 

(x : Fin 0) 

—* Troo [] (just (PT (_>=+_ P (X xi —> _>=_ (Q Xi) R )) re))(PI (_»=+_ 
c P Q R x q () 


--@BEGIN@stopSeq 

stopSeq : {lu : LUniv}{co : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} c 0 ) 

(STOP c 0 >= P) C STOP c 0 
stopSeq a P .[] .nothing (tnode empty) = tnode empty 
stopSeq a P .(efq _ :: /) m (tnode (extc l .m 0 ®i)) 
stopSeq a P l m (tnode (intc .1 .m 0 ®i)) 
stopSeq a P .[] .(just (efq _)) (tnode (terc ())) 

--SEND 

stopSeqr : {lu : LUniv}{co : Choice} (a : ChoiceSet Co) 

(P : ChoiceSet Co —> Process oo {lu} Co) 

-► STOP c 0 C (STOP c 0 >= P ) 
stopSeqr a P .[] .nothing (tnode empty) = tnode empty 

stopSeqr a P .(efq _ /) m (tnode (extc l .m 0 *0) 

stopSeqr a P l m (tnode (intc .1 .m (injx ()) xi)) 

stopSeqr a P l m (tnode (intc .1 .m (inj 2 ()) xi)) 

stopSeqr a P .[] .(just (PT (process+ (fin 0) efq efq 

(fin 0) efq (fin 0) efq "STOP" 

»=+ P ) _)) (tnode (terc ())) 


a 


o 
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A.79. ProofLawsSeqTheoOnly.agda 


o 


■o 


--(SBEGINGstopSeqEq 

=stopSeq : {lu : LUniv}{co : Choice} (a : ChoiceSet Co) 

(P : ChoiceSet cq —> Process oo {lu} Co) 

-> STOP c 0 {lu} = (STOP c 0 {lu} >= P) 

--(SEND 

=stopSeq a P = (stopSeqr a P ) , (stopSeq a P ) 


--@BEGIN@unitSeqL 

unitSeqL : {lu : LUniv}{co c\ : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} c\) 

—> (terminate a ^>= P) P a 

unitSeqL a P l m q = q 


--(SEND 


unitSeqLr : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet co)(P : ChoiceSet 

— : > P a □ (terminate a ^>= P) 
unitSeqLr {lu} {cq} {ci} a P l m q = q 


--(SBEGINGunitSeqLEq 

=unitSeq : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
(P : ChoiceSet c 0 —> Process oo {lu} c 0 ) 

—>• P a = (terminate a 3>= P ) 
=unitSeq a P = (unitSeqL a P) , unitSeqLr a P 


a 


-o 
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A. Agda Code 

o-o 


--(SEND 


lemTrTerminateBind” 

lemTrTerminateBind” 


: {lu : LUniv}(c : Choice)(P : Process-1- oo { lu } c) (x : Fin 0) 
— Tr+ {lu} [] (just (PT ( P 3>=+ terminate) x)) P 

cPQ 


lemtr+trterminate : {lu : LUniv}(c 0 : Choice) — > (m : Maybe (ChoiceSet c 0 )) — >■ (P : Process-1- oo {lu 

(y : ChoiceSet (T P)) —» ( traux : Tr {lu} {co} l m (terminate (PT P y ))) — > Ti 
lemtr+trterminate Co -(just (PT P y )) P .[] y (ter .(PT P y)) = terc y 
lemtr+trterminate cq .nothing P .[] y (empty .(PT P y)) = empty 


mutual 


unitSeqR : {lu : LUniv}{c 0 : Choice} (P : Process oo {lu} c 0 ) 
~>{P ' $>= terminate) □ P 
unitSeqR (terminate x) l m q = q 

unitSeqR (node x) l m (tnode q) = tnode (unitSeqR + x l m q) 


--@BEGIN@unitSeqR 


unitSeqR + : {lu : LUniv}{c 0 : Choice} (P : Process+ oo {lu} c 0 ) 

3>=+ terminate) □+ P 
unitSeqR + P .[] .nothing empty 


= empty 

unitSeqR + P .(Lab P x :: l) m (extc l .m x a;i) 

= extc l m x (unitSeqRoo (PE P x) l m xi) 
unitSeqR + P l m (intc .1 .m x x i) 

= intc l m (inji x) (unitSeqRoo (PI P x) l m x\) 
unitSeqR + {lu} {c 0 } P .[] .(just (PT P x)) (terc x) = 
intc [] (just (PT P x)) (inj 2 x) 

(lemTrTerminateBind c 0 P x) 


a 


-o 
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--(SEND 


unitSeqRcx) : {lu : LUniv}{c 0 : Choice} ( P : Processoo oo { lu } c 0 ) 
->(P 3>=oo terminate) Too P 
unitSeqRoo P l m q = unitSeqR (forcep P) l m q 


mutual 

unitSeq 2 r : {lu : LUniv}{c 0 : Choice} (P : Process oo { lu } c 0 ) 

—> P T {P ^>= terminate) 
unitSeq 2 r {lu} {co} (terminate x) l m x\ = x± 

unitSeq 2 r {lu} {co} (node x) l m (tnode tr) = tnode (unitSeq 2 r + x l m tr) 

unitSeq 2 r + : {lu : LUniv}{c 0 : Choice} (P : Process-1- oo {lu} c 0 ) 

—» P C+ ( P ^>=+ terminate) 

unitSeq 2 r + P .[] .nothing (empty {P = ,(F>=+ terminate)}) = empty 

unitSeq 2 r + {lu} P .(Lab P x :: l) m (extc {P = .(P 3>=+ terminate)} l .m x x\) = extc l m 

unitSeq 2 r + {lu} {c 0 } P l m (intc {P = .(_S>=+_ {oo} {lu} {c 0 } {c 0 } P terminate)} .1 .m (i 

intc l r 

unitSeq 2 r + {/n}{co} P l m (intc {P = ,(_ 3 >=+_ {oo} {^}{c 0 } {co} P terminate)} .1 .m (in 
let 

s : Set 

s = Tr {lu} {c 0 } l m (forcep (PI (_3>=+_ {oo} {lu} {c 0 } {c 0 } P terminate^ 


traux : Tr {lu} {co} l m (terminate (PT P y)) 

traux = x\ 

in lemtr+trterminate c 0 m P l y traux 

unitSeq 2 r + {lu} {c 0 } P .[] .(just (PT ( P 3>=+ terminate) x)) (terc {P = .(P 3>=+ terminat 

unitSeq 2 roo : {lu : LUniv}{c 0 : Choice} (P : Processoo oo {lu} c 0 ) 

—>■ P Too (P 3>=oo terminate) 
unitSeq 2 roo {lu} {c 0 } P l m x = unitSeq 2 r (forcep P {oo}) l m x 


--@BEGIN@unitSeqREq 

=unitSeq 2 : {lu : LUniv}{c 0 C\ : Choice} (P : Process oo {lu} c 0 ) 

—> P = (P ^>= terminate) 


o 


-o 
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A. Agda Code 

o-o 


=unitSeq 2 {lu} {c 0 } {ci} F = (unitSeq 2 r P) , (unitSeqR P) 


--(SEND 


mutual 

assSeq : {lu : LUniv}{c 0 C\ c 2 : Choice} (F : Process oo {lu} c 0 ) 

( Q : ChoiceSet Co —> Process oo {lu} c\) 

(R : ChoiceSet c\ —y Process oo {lu} c 2 ) 

-)• ((F >= Q) >= R) □ (F >= (\x^ Q x >= R )) 
assSeq {lu} {c 0 } {cx} {c 2 } (terminate x) Q R l m q = q 

assSeq {lu} {c 0 } {cx} {c 2 } (node x) Q R l m (tnode q ) = tnode (assSeqx_ 3+ x Q R l m q) 
--@BEGIN@assSeq 

assSeqx_ 3 + : {lu : LUniv}{c 0 ex c 2 : Choice} (F : Process-)- oo {lu} c 0 ) 

( Q : ChoiceSet c 0 Process oo {lu} ex) 

(F : ChoiceSet ex —>■ Process oo {lu} c 2 ) 

—> ((F 3>=+ Q ) 3>=+ R) 

Cl-p (F 3>=-l- ( X x — y Q x 3>= R )) 
assSeqx_ 3 + F Q R .[] .nothing empty = empty 
assSeqx_ 3 + P Q R .(Lab P x :: l) m (extc l .m x Xi) 

= extc l m x (assSeq+pp P Q R l x m Xi) 
assSeqx_ 3+ P Q R l m (intc .1 .m (injx x) xi) 

= intc l m (injx (injx x)) 

(assSeqoopp (PI F x) Q R l m x^ 
assSeqi„ 3+ P Q R l m (intc .1 .m (inj 2 y) a;i) 

= intc l m (injx (inj 2 y)) 

(assPT+pp P Q R y l m x\) 
assSeqi„ 3+ {lu} {c 0 } {ex} {c 2 } F Q R .[] 

.(just (PT (F >=+ (X x ->• Q x >= R)) x)) 

(terc x) = intc [] (just (PT (_»=+_ 

F (X xi —y _ 3 >=_ ( Q xi) R)) x)) 

(inj 2 x) (lemTrTerminateBind' c 0 ex c 2 F Q R x) 


--(SEND 


assSeqoopp : {lu : LUniv}{c 0 Cx c 2 : Choice} (F : Processoo oo {lu} c 0 ) 
(Q : ChoiceSet cq —y Process oo {lu} cx) 


O- 


o 
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o-o 


( P : ChoiceSet c\ —> Process oo { lu } C 2 ) 

->({p 3>=oo Q ) 3>=oo P) Coo (P ^>=00 ( X x —» Q x 3>= P )) 

assSeqoopp {/n}{c 0 } {ci} {c 2 } P Q R l m q = assSeq (forcep P) Q R l m q 


assPT+pp : {lu : LUniv}{c 0 c\ c 2 : Choice}(P : Process+ 00 {lu} c 0 )(Q : ChoiceSet c 0 
—> ( R : ChoiceSet c\ —> Process 00 {lu} c 2 ) 

—* (y : ChoiceSet (T P)) 

—» (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—> (x : Troo l m (PI (P 3 >=+ (X x —> Q x 3>= R )) ( in J 2 y))) 

—> Troo l m (PI (P 3 >=+ Q) (inj 2 y) S>=oo R) 

assPT+pp {lu} {c 0 } {ci} {c 2 } PQRylmtr=tr 


assSeq+pp : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process+ 00 {lu} c 0 ) 

(Q : ChoiceSet c 0 — > Process 00 {lu} c\ ) 

(R : ChoiceSet ci —¥ Process 00 {lu} c 2 ) 

—» (l : List (Label lu)) 

—* (x : ChoiceSet (E P)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—» (xi : Troo l m (_3>=oo_ (PE P x) (X x 2j —* _3>=_ (Q x 2 ) R))) 
—» Troo l m (_3>=oo_ (_3>=oo_ (PE Px)Q)R) 
assSeq+pp PQRlxmtr= assSeq (forcep (PE P x)) Q R l m tr 


mutual 

assSeqr : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process 00 {lu} cq) 

( Q : ChoiceSet Co —> Process 00 {lu} c\) 

( R : ChoiceSet ci —> Process 00 {lu} c 2 ) 

->■ (P >= ( X x -> Q x »= R )) C ((P >= Q) >= P) 
assSeqr (terminate x) Q R l m q = q 

assSeqr (node x) Q R l m (tnode q) = tnode (assSeq!_ 3 + r x Q R l m q) 


O 


assSeq!_ 3+ r : {lu : LUniv}{c 0 Ci c 2 : Choice} (P : Process+ 00 {lu} c 0 ) 
(Q : ChoiceSet cq —> Process 00 {lu} ci) 


-o 
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(R : ChoiceSet c\ —> Process oo { lu } C 2 ) 

— y ( P 3>=+ ( X x —y Q x 3>= R )) TT ((P 3 >= + Q) 3>=+ R) 


assSeqx_ 

-3+r 

P 

Q 

R 

■0 ■ 

nothing 

empty = empty 



assSeqx_ 

-3+r 

P 

Q 

R 

■(L* 

ab P x w 

T) m (extc l .m x x 1 ) 

= extc l m x (assSeq+ppr P Q R l x m xi) 

assSeqx_ 

-3+r 

P 

Q 

R 

l m 

(intc .1 

■ m (injx (injx x)) aq) = 

- intc l m 

(injx x) (assSeqooppr (PI Pa;) Q R l 

assSeqx_ 

-3+r 

P 

Q 

R 

l m 

(intc .1 

■m (injx ( inj 2 y)) xi) = 

= intc l m 

(inj 2 y) (assPT+ppr P Q R y l m x 1 ) 

assSeqx- 

-3+r 

P 

Q 

R 

l m 

(intc .1 

■m ( inj 2 ()) x\) 



assSeqx- 

-3+r 

P 

Q 

R 

■[]■ 

(just (PT ((P>=+ Q) »=+ R) _)) (terc ()) 


assSeq+ppr : {lu : LUniv}{co c\ C 2 : Choice} (P : Process+ 00 {lu} cq) 

(Q : ChoiceSet Co —> Process 00 {lu} c \) 

(R : ChoiceSet c\ —y Process 00 {lu} c 2 ) 

—y (l : List (Label lu)) 

—y (x : ChoiceSet (E P)) 

—y (m : Maybe (ChoiceSet C 2 )) 

—y (xi : Troo l m (_^>=oo_ (_^=oo_ (PE P x) Q) R)) 

—y Troo l m (_3>=oo_ (PE P x) (X X 2 —> _S>=_ ( Q x 2 ) R)) 

assSeq+ppr P Q R l x m x 1 = assSeqr (forcep (PE P x)) Q R l m x\ 

assSeqooppr : {lu : LUniv}{co c\ c 2 : Choice} (P : Processoo 00 {lu} cq) 

(Q : ChoiceSet Co —y Process 00 {lu} c\) 

(R : ChoiceSet C\ —y Process 00 {lu} c 2 ) 

—y ( P 3>=oo ( X x —y Q x 3>= R )) Too ((P 3>=oo Q) 3>=oo R) 

assSeqooppr {lu} {c 0 } {ci} {c 2 } P Q R l m q = assSeqr (forcep P) Q R l m q 


assPT+ppr : {lu : LUniv} {c 0 ci c 2 : Choice}(P : Process+ 00 {lu} c 0 )(Q : ChoiceSet c 0 —y Process 
—y ( R : ChoiceSet c\ —y Process 00 {lu} c 2 ) 

—y (y : ChoiceSet (T P)) 

—y (l : List (Label lu)) 

—y (m : Maybe (ChoiceSet C 2 )) 

—y (x : Troo l m (PI (P ^>=+ Q) (inj 2 y) 3>=oo m 
—y Troo l m (PI (P S>=+ (X x -y Q x S>= R)) (inj 2 y)) 

assPT+ppr {lu} {c 0 } {ex} {c 2 } PQRylmtr=tr 


--@BEGIN@assSeqeQ 

=assSeq : {lu : LUniv}{co c\ c 2 : Choice}(P : Process 00 {lu} cq) 


a 


o 
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(Q : ChoiceSet Co — > Process oo { lu } ci) 
—>• (R : ChoiceSet ci — >• Process oo {lu} c 2 ) 
((P >= Q) >= P) = 

(P A>= ( X a; —)• Q a; S>= R )) 
=assSeq P Q R = (assSeq P Q R) , (assSeqr P Q R) 


--(SEND 


A.80 proofMonadicLaw.agda 


--@PREFIX@mainproofMonadicLaw 


module proofMonadicLaw where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport Data.Maybe 

mport Data.Product 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport dataAuxFunction 

mport sequentialCompositionRev 

mport TraceWithoutSize 

mport RefWithoutSize 

mport traceEquivalence 

mport labelUniv 


--@BEGIN@lemTrTerminateBindDef 

lemTrTerminateBind : {lu : LUniv}(c : Choice)(P : Process+ oo {lu} c)(x : ChoiceSet (T P)) 

—> Troo [] (just (PT P x)) (PI (F>=+ terminate) (inj 2 x)) 
lemTrTerminateBind cPx = ter (PT P x) 


o 


-o 
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o-o 


lemTrTerminateBind” 

lemTrTerminateBind" 


: {lu : LUniv}(c : Choice)(P : Process+ oo {lu } c) (x : 
—y Tr+ [] (just (PT (P S>=+ terminate) x)) P 

cP () 


Fin 0) 


--(SEND 


--(SBEGINGlemTrTerminateBindoneDef 

lemTrTerminateBind’ : {lu : LUniv}(c 0 c\ c 2 : Choice) 

(P : Process+ oo {lu} c 0 ) 

(Q : ChoiceSet Co —y Process oo {lu} c\) 

(R : ChoiceSet c\ — y Process oo {lu} c 2 ) 

(x : Fin 0) 

— > Troo [] (just (PT (_ 3 >=+_ P (X x\ —y _ 3 >=_ ( Q xi) R )) a;))(PI (_3>=d 
lemTrTerminateBind’ c P Q R x q () 


--(SEND 


--(SBEGINGlemTrTerminateBindtwoDef 

lemTrTerminateBind"’ : {lu : LUniv}(co c\ c 2 : Choice) 

(P : Process-1- oo {lu} c 0 ) 

(Q : ChoiceSet c 0 — y Process oo {lu} c\) 

(R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

(x : Fin 0) 

— y Tr+ [](just (PT ((P 3>=+ Q ) 3>=+ R) x))(P 3>=+ (X x\ — y (Q a;i) S> 
lemTrTerminateBind’” c 0 C\ c 2 P Q R () 


--(SEND 


- -@BEGIN(SmonadicLawoneDef 

monadicLawi : {lu : LUniv}{co c\ : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet Co —> Process oo {lu} c\) 

—y (terminate a 3 >= P) □ Pa 

monadicLaw! a P l m q = q 

--(SEND 


a 


o 
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--(SBEGINGmonadicLawonerDef 

monadicLawxR : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} ci) 

—> P a □ (terminate a 3>= P) 
monadicLawxR {cq} {cx} a P l m q = q 


--(SEND 


--@BEGIN@monadicLawoneEqDef 

=monadicl_awx : {lu : LUniv}{c 0 Cx : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process oo {lu} cx) 

—> (P a) = (terminate a 3 >= P) 

=monadicLawx {c 0 } {cx} a P = (monadicLawx a P ) , (monadicLawxR a P ) 


--(SEND 


mutual 

--(SBEGINGmonadicLawtwoDef 

monadicLaw 2 : {lu : LUniv}{c 0 : Choice} (P : Process oo {lu} cq) 

—> (P S>= terminate) C P 
monadicLawo {c 0 } (terminate x) l m q = q 

monadicLawo {c 0 } (node x ) l m (tnode q) = tnode (monadicLaw 2+ x l m q) 


--(SEND 


--(SBEGIN(SmonadicLawtowPlusDef 

monadicLaw 2+ : {lu : LUniv}{c 0 : Choice} (P : Process-)- oo {lu} Co) 

—> (P 3>=+ terminate) C+ P 
monadicLaw 2+ P .[] .nothing empty = empty 
monadicl_aw 2+ P .(Lab P x :: l) m (extc l .m x x{) = 
extc l m x 

(monadicLaw 2 oo (PE P x) l m xx) 


a 


-o 
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monadicLaw 2+ 


monadicLaw 2+ 


P l m (intc .1 .m x x i) = 
intc l m (inj! x) 

(monadicLaw 2 oo (PI P x) l m Xi) 

{lu } {c 0 } P .[] -(just (PT P x)) (terc x) = 
intc [] (just (PT P x)) (inj 2 x) 
(lemTrTerminateBind c 0 P x) 


--(SEND 


--@BEGIN(SmonadicLawtowInfDef 

monadicLaw 2 cx) : {lu : LUniv}{c 0 : Choice} (P : Processoo oo {lu} Co) 

—>■ (P 3>=oo terminate) Too P 
monadicl_aw 2 oo {lu} {c 0 } P l m q = monadicl_aw 2 (forcep P) l m q 


--@END 


--@BEGIN@lemtrPlustrterminateDef 

lemtr+trterminate : {lu : LUniv}(co : Choice) — >■ (m : Maybe (ChoiceSet c 0 )) 

—> (P : Process-1- oo {lu} Co) —>• (l : List (Label lu)) —>■ 

(y : ChoiceSet (T P)) —)■ (traux : Tr {lu} {co} l m (terminate (PT P y))) 
lemtr+trterminate c 0 -(just (PT P y)) P .[] y (ter .(PT P y)) = terc y 
lemtr+trterminate c 0 .nothing P .[] y (empty .(PT P y)) = empty 


--(SEND 


mutual 

--(SBEGINGmonadicLawtwoRDef 

monadicLaw 2 R : {lu : LUniv}{c 0 : Choice} (P : Process oo {lu} co) 

4 FE (P 3>= terminate) 
monadicLaw 2 R {lu} {c 0 } (terminate x) l m x i = x\ 

monadicLaw 2 R {lu} {c 0 } (node x) l m (tnode tr) = tnode (monadicLaw 2 R + x l m tr) 


--(SEND 


--(SBEGINGmonadicLawtwoRPlusDef 

monadicLaw 2 R + : {lu : LUniv}{c 0 : Choice} (P : Process+ oo {lu} c 0 ) 
—> P C+ (P S>=+ terminate) 


a 


-o 
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monadicLawoR-j. P .[] .nothing (empty {P = .(P ^$>=+ terminate)}) = empty 
monadicLaw 2 R + P .(Lab P x :: l) m (extc {P = .(P S>=+ terminate)} l .m x aq) = 

extc l m x (monadicLaw 2 Roo (PE P x) l m 
monadicLaw 2 R + { lu } {c 0 } P l m (intc {P = ,(_S>=+_ {oo} { lu } {c 0 } {c 0 } P terminate)} .1 

into l m x (monadicLaw 2 Roo (PI P x) l m : 
monadicLaw 2 R + {lu} {c 0 } P l m (intc {P = ,(_S>=+_ {oo} {lu} {c 0 } {co} P terminate)} .1 
let 

s : Set 

s = Tr {lu} {c 0 } l m (forcep (PI (_S>=+_ {oo} {lu} {c 0 } {c 0 } P terminate 

traux : Tr {lu} {c 0 } l m (terminate (PT P y )) 

traux = x\ 

in lemtr+trterminate cq m P l y traux 

monadicLaw 2 R + {lu} {c 0 } P .[] .(just (PT (P 3>=+ terminate) x)) (terc {P = .(P S>=+ ter 


--@END 


--@BEGIN@monadicLawtwoInfDef 

monadicLaw 2 Rcxa : {lu : LUniv}{co : Choice} (P : Processoo oo {lu} cq) 

—y P Coo (P 3>=oo terminate) 

monadicLaw 2 Roo {lu} {c 0 } P l m x = monadicLaw 2 R (forcep P {oo}) l m x 


--0END 


--@BEGIN@monadicLawtwoEqDef 

=monadicLaw 2 : {lu : LUniv}{c 0 C\ : Choice} (P : Process oo {lu} c 0 ) 

—> P = (P S>= terminate) 

=monadicLaw 2 {lu} {c 0 } {ci} P = (monadicLaw 2 R P) , (monadicLaw 2 P) 


--SEND 


mutual 

--@BEGIN@monadicLawthreeDef 


o 


-o 
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monadicLaw 3 : {lu : LUniv}{c 0 c± c 2 : Choice} (P : Process oo { lu } c 0 ) 

(Q : ChoiceSet c 0 —>■ Process oo {lu} ci) 

(R : ChoiceSet c\ —>■ Process oo {Pt} c 2 ) 

->■ ((-P >= <5) >= R) E (-P >= ( x X ->■ <5 X >= A )) 

monadicLaw 3 (terminate x) Q R l m q = q 

monadicLaw 3 (node x) Q R l m (tnode q) = tnode (monadicl_aw 3+ x Q R l m q) 
--SEND 


--@BEGIN@monadicLawthreePlusDef 


monadicl_aw 3+ 


monadicLaw 3+ 

monadicLaw 3+ 

monadicl_aw 3+ 

monadicLaw 3+ 

monadicLaw 3+ 


: {lu : LUniv}{c 0 C\ c 2 : Choice} (P : Process-1- oo {lu} c 0 ) 
(Q : ChoiceSet c 0 —>■ Process oo {lu} ci) 

(R : ChoiceSet c\ —> Process oo {/«} c 2 ) 

—> ((.P 3>=+ (J) 3>=+ P) C+ 

(P iS>=+ ( X x —> Q 3 : S>= P )) 

P Q R ■[] nothing empty = empty 
P Q R .(Lab P x :: l) m (extc l .m x x\) = 
extc l m x 

(monadicLawoo P Q R l x m x 1 ) 

P Q R l m (intc .1 .m (inji x) xi) = 
intc l m (inj 3 (inj x x)) 

(monadicLaw 3 oo (PI P x) Q R l m x\) 

P Q R l m (intc .1 .m (inj 2 y) x\) = 
intc l m (inji (inj 2 y )) 

(monadPT+ P Q R y l m x 1 ) 

P Q R .[] .(just (PT 

(P S>=+ (X x —P Q x 3>= R)) x)) (terc x) = efq x 


--(SEND 


--@BEGIN(SmonadicLawthreeInfDef 

monadicLaw 3 oo : {lu : LUniv}{c 0 C\ c 2 : Choice} (P : Processoo 00 {lu} c 0 ) 

( Q : ChoiceSet c 0 —> Process 00 {lu} c\) 

(R : ChoiceSet c\ —> Process 00 {Pt} c 2 ) 

->((p 3>=oo Q) 3>=oo A) Coo (P 3>=oo ( X x —» <5 x 3>= R )) 

monadicLaw 3 oo {lu} {c 0 } {c\} {c 2 } P Q R l m q = monadicLaw 3 (forcep P) Q R l m q 


--(SEND 


a 


-o 
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- -@BEGIN(SmonadPTDef 

monadPT+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu } c 0 ) 


(Q : ChoiceSet cq —> Process oo {lu} c\) 


->■ (P 

: ChoiceSet c\ — > Process oo {lu} c 2 ) 

->• (y 

: ChoiceSet (T P)) 


: List (Label lu)) 

— > ( m 

: Maybe (ChoiceSet c 2 )) 

— > (x : 

Troo l m (PI (P »=+ (X x -)• Q x »= R)) (inj 2 y))) 

-> 

Troo l m (PI (P 3>=+ Q) (inj 2 y) 3>=oo R) 

monadPT+ 

{lu} {c 0 } {ci} {c 2 } P Q R y l m tr = tr 


--(SEND 


--<SBEGIN(SmonadDownSizeDef 

monadDownSize : {lu : LUniv}(c 0 Ci : Choice) (P : Process oo {lu} c 0 )(Q : ChoiceSet c 0 —> 
—>• (Z : List (Label lu) ) 

—>■ (m : Maybe (ChoiceSet ci)) 

—* Tr l m (_;§>=_ P Q ) 

-> Tr l m (_;§>=_ P Q) 

monadDownSize c 0 C\ (terminate x) Q l m tr = tr 

monadDownSize c 0 C\ (node x) Q l m (tnode {/ = ./} {x = .m} {P = .(_^=+_ x Q)} Xi) - 


--(SEND 


- -@BEGIN(SmonadDownSizePlusDef 


monadDownSize+ : {lu 

—> 

—> 


monadDownSize+ 

c 0 

Cl 

monadDownSize+ 

c 0 

Cl 

monadDownSize+ 

c 0 

Cl 

monadDownSize+ 

c 0 

Cl 

monadDownSize+ 

c 0 

Cl 


: LUniv}(c 0 c\ : Choice) (P : Process+ oo {lu} c 0 )(Q : ChoiceSet c 0 
(l : List (Label lu)) 

(m : Maybe (ChoiceSet ci)) 

Tr+ l m (_>=+_ P Q) 

Tr+ l m (_»=+_ P Q) 

q P .[] .nothing (empty {P = ,(_^>=+_ q P)}) = empty 
q P .(Lab q x :: l) m (extc {P = ,(_3>=+_ q P)} l .m x xi) = extc 
q P l m (intc {P = .(_3>=+_ q P)} .1 .m (inji x) xi) = intc l m (inj 
q P l m (intc {P = .(_3>=+_ q P)} .1 .m (inj 2 y) X\) = intc l m (inj 
q P .[] .(just (PT (_»=+_ q P) x)) (terc {P = .(_»=+_ q P)} x) 


--(SEND 


o 


o 
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--@BEGIN(SmonadDownSizePTDef 

monadDownSizePT : {lu : LUniv}(c 0 c\ : Choice) ( P : Process+ oo { lu } c 0 )(Q : ChoiceSet cq — > Prc 
—y ( y : ChoiceSet (T P)) 

—> (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet ci)) 

->■ Troo l m (PI (_>=+_ P Q) (inj 2 y)) 

-> Troo l m (PI (_>=+_ P Q) (inj 2 y)) 
monadDownSizePT cq c\ P Q y l m tr = tr 


--(SEND 


--@BEGIN@monadDownSizeInfDef 

monadDownSizeoo : {lu : LUniv}(co c\ : Choice) (P : Processoo oo {lu} co)(Q : ChoiceSet Co —> Pro 
—> (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet ci)) 

—> Troo l m (_^>=oo_ P Q) 

—> Troo l m (_^>=oo_ P Q) 
monadDownSizeoo Co c\ P Q l m tr = tr 

--(SEND 

--(SBEGINGmonadicLawInfDef 

monadicLawoo : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process-)- oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —> Process oo {lu} c\) 

(R : ChoiceSet c\ —> Process oo {///,} c 2 ) 

—>■ (l : List (Label lu)) 

— y (x : ChoiceSet (E P)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—> (xi : Troo l m (_3>=oo_ (PE P x) (X x 2 —>■ _^>=_ (Q x 2 ) R))) 

—> Troo l m (_^>=oo_ (_^>=oo_ (PE P x) Q) R) 
monadicLawoo P Q R l x nn tr = monadicLaw 3 (forcep (PE P x)) Q R l m tr 


--(SEND 


a 


-o 
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mutual 

--@BEGIN@monadicLawRThreeDef 

monadicLaw 3 R : {lu : LUniv}{c 0 C\ c 2 : Choice} (P : Process oo { lu } c 0 ) 

(Q : ChoiceSet cq —> Process oo { lu } ci) 

(R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

->■ (P »= ( A x ->• Q x >= A )) C ((P >= Q) >= P) 
monadicLaw 3 R {/n} {c 0 } {ol} {c 2 } (terminate a:) Q R l m x\ = X\ 

monadicLaw 3 R {lu} {c 0 } {c 3 } {c 2 } (node x) Q R l m (tnode x\) = tnode (monadicl_aw 3 R + a 


--0END 


--@BEGIN@monadicLawRPlusThreeDef 

monadicLaw 3 R_(_ : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process+ oo {lu} Co) 

( Q : ChoiceSet cq —Y Process oo {lu} c\) 

( R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

—^ (P A>=+ ( X a; —> Q x 3>= P )) |P+ ((P S>=+ Q) 3>=+ P) 

monadicLaw 3 R + {/zz} {c 0 } {c 3 } {c 2 } P <5 P .[] .nothing (empty {P 
= .(_>=+_ {oo} {lu} {ci} {c 2 } (_>=+_ {oo} {lu} {c 0 } {ci} P <5) P)}) = empty 
monadicLaw 3 R + {lu} {c 0 } {c 3 } {c 2 } P Q R .(Lab Pi:: i) m (extc {P 
= .(_>•=+- {oo} M {ci} {c 2 } ( 3>=+ {oo} {lu} {co} {ci} P Q) P)} l .m x a:i) 

= extc l m x (monadicLaw 3 Roo (PE Pi) Q R l m x i) 
monadicLaw 3 R + {lu} {c 0 } {c 3 } {c 2 } P Q R l m (intc {P 
= .(_>=+_ {oo} {lu} {ci} {c 2 } (_>=+_ {oo} {lu} {c 0 } {ci} P Q) P)} .1 .m (inji (inj 3 

= intc l m (inji x) (monadicLaw 3 Roo (PI P x) Q R l m x 
monadicLaw 3 R + {lu} {c 0 } {c 3 } {c 2 } P Q R l m (intc {P 
= .(->=+_ {oo} {lu} {ci} {c 2 } (_>=+_ {oo} {lu} {c 0 } {ci} P Q) P)} .1 .m (inji (inj 5 

= intc l m (inj 2 y) (monadPT+’ P Q R y l m x\) 
monadicLaw 3 R + {lu} {c 0 } {c 3 } {c 2 } P Q R l m (intc {P 
= ■(->=+- {oo} {lu} {ci} {c 2 } (_>=+_ {oo} {lu} {c 0 } {ci} P Q) R)} .1 .m (inj 2 ()) : 
monadicLaw 3 R + {lu} {c 0 } {c 3 } {c 2 } P Q R .[] .(just (PT (_»=+_ (P >=+ Q) R) x)) 
(terc {P = .(_»=+_ (P »=+ Q) R)} x) 

= lemTrTerminateBind'” c Q c\ c 2 P Q R x 


--@END 


--@BEGIN@monadicLawTreeInfDef 

monadicLaw 3 Roo : {lu : LUniv}{co C\ c 2 : Choice} (P : Processoo oo {lu} c 0 ) 
(Q : ChoiceSet cq —> Process oo {lu} c 3 ) 


o 


-o 
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( P : ChoiceSet c\ —>• Process oo {lu} C2) 

—» (P 3>=oo ( X x —» Q x 3>= P )) Coo ((P 3>=oo Q ) 3>=oo P) 

monadicLaw 3 Roo {/n} {c 0 } {ci} {c 2 } P Q R l m q = monadicLaw 3 R (forcep P) Q R l m q 


--(SEND 


--@BEGIN(SmonadPTplusDef 

monadPT+’ : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ 00 {lu} c 0 )(Q : ChoiceSet c 0 —» Process 
—> (P : ChoiceSet c 3 —> Process 00 c 2 ) 

—> (y : ChoiceSet (T P)) 

—> (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 2 )) 

-> (x : Troo l m (_3>=oo_ (PI (_S>=+_ P Q) (inj 2 y)) R)) 

— * Troo l m (PI (_S>=+_ P (A x —» _»=_ (<5 z) P)) (inj 2 y)) 

monadPT+’ {/n} {cq} {c 3 } {c 2 } PQRylmtr= tr 


--(SEND 


--@BEGIN(SmonadicLawEqThreeDef 

=monadicLaw 3 : {lu : LUniv}{c 0 C\ c 2 : Choice} (P : Process 00 {lu} c 0 ) 
(Q : ChoiceSet c 0 —> Process 00 {lu} C\) 

(P : ChoiceSet c\ —> Process 00 {lu} c 2 ) 

-)■ ((P >= Q)»= P)e(P»= (Ai^Qs»= P)) 
=monadicLaw 3 {c 0 } {c 3 } {c 2 } P Q R = (monadicLaw 3 P Q R) , 

(monadicLaw 3 R P Q R) 


--(SEND 


A. 81 proofMonadicLawTheoremsOnly. agda 


--@PREFIX@mainproofMonadicLawTheoremsOnly 


o 


o 
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module proofMonadicLawTheoremsOnly where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport Data.Maybe 

mport Data.Product 

mport Data.Fin 

mport Data.List 

mport Data.Sum 

mport dataAuxFunction 

mport sequentialCompositionRev 

mport TraceWithoutSize 

mport RefWithoutSize 

mport traceEquivalence 

mport labelUniv 


--@BEGIN@lemTrTerminateBindDef 

lemTrTerminateBind : {lu : LUniv}(c : Choice)(P : Process-1- oo { lu } c)(x : ChoiceSet (T P )) 

—» Troo [] (just (PT P x)) (PI (P>=+ terminate) (inj 2 x)) 
lemTrTerminateBind cPx = ter (PT P x) 

lemTrTerminateBind” : {lu : LUniv}(c : Choice)(P : Process+ oo { lu } c) (x : Fin 0) 

—y Tr+ [] (just (PT (P ^>=+ terminate) x)) P 
lemTrTerminateBind” c P () 


--(SEND 


--@BEGIN@lemTrTerminateBindoneDef 

lemTrTerminateBind’ : {lu : LUniv}(c 0 C\ c 2 : Choice) 

(P : Process+ oo {lu} cq) 

(Q : ChoiceSet Co —> Process oo {lu} c\) 

(R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

(x : Fin 0) 

— >• Troo [] (just (PT (_>=+_ P (X xi — > _3>=_ ( Q X]) R )) a;))( PI 
lemTrTerminateBind’ c P Q R x q () 


o 


-o 
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--(SEND 


--(SBEGIN(SlemTrTerminateBindtwoDef 

lemTrTerminateBind”' : {lu : LUniv}(co c\ c 2 : Choice) 

(P : Process-1- 00 {lu} c 0 ) 

(Q : ChoiceSet c 0 — > Process 00 { lu } ci) 

(R : ChoiceSet c\ —> Process 00 {lu} c 2 ) 

(x : Fin 0) 

—t Tr+ [](just (PT ((P ^>=+ Q ) 3>=-E R ) x))(P 3>=+ (X x\ —> (Q x±) S> 
lemTrTerminateBind’” cq c± c 2 P Q R () 


--(SEND 


- -@BEGIN(SmonadicLawoneDef 


monadicLawi : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet Co) 
(P : ChoiceSet c 0 —> Process 00 {lu} c\) 

—» (terminate a 3>= P) □ Pa 


--(SEND 

monadicLaw! a P l m q = q 


--(SBEGINGmonadicLawonerDef 

monadicLawiR : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) 

(P : ChoiceSet c 0 —> Process 00 {lu} c\) 

->PaE (terminate a 3>= P) 

--SEND 

monadicLawiR {cq} {ci} a P l m q = q 


- -@BEGIN(SmonadicLawoneEqDef 


a 


o 




716 


A. 81. proofMonadicLawTheoremsOnly. agda 
o-o 


^monadicLaw! : {lu : LUniv}{c 0 ci : Choice} (a : ChoiceSet c 0 ) 
(P : ChoiceSet c 0 —> Process oo {lu} ci) 

—> (P a) = (terminate a S>= P) 


--(SEND 

=monadicLaw! {c 0 } {ci} a P = (monadicLaw! a P ) , (monadicLaWiR a P) 


mutual 

--@BEGIN@monadicLawtwoDef 


monadicLaw 2 : {lu : LUniv}{c 0 : Choice} 

(P : Process oo {lu} c 0 ) 

—> (P 3>= terminate) C P 

--(SEND 

monadicLaw 2 {c 0 } (terminate x) l m q = q 

monadicl_aw 2 {c 0 } (node x) l m (tnode q ) = tnode (monadicLaw 2+ x l m q) 


--(SBEGIN(SmonadicLawtowPlusDef 

monadicl_aw 2+ : {lu : LUniv}{c 0 : Choice} (P : Process-1- oo {lu} Co) 

—> (P 3>=+ terminate) C+ P 

--(SEND 


monadicLaw 2+ 

P .[] .nothing em 

pty = 

empty 


monadicLaw 2+ 

P .(Lab P x :: 1) 

m (extc l .m 

X X\) 


extc l m x 





(monadicLaw 2 oo 

(PE F 

’ x) l m x i) 

monadicLaw 2+ 

P l m (intc .1 .m 

X Xi) ■ 




intc l m (injx x) 





(monadicLaw 2 oo 

(PI P 

x) l m 

Xi) 


a 


-o 
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monadicLaw 2+ { lu } {c 0 } P .[] .(just (PT P x)) (terc x ) = 
intc [] (just (PT P x)) (inj 2 x) 
(lemTrTerminateBind c 0 P x) 


--(SBEGINGmonadicLawtowInfDef 

monadicLaw 2 oo : {lu : LUniv}{c 0 : Choice} (P : Processoo oo {lu} c 0 ) 

—> (P 3>=oo terminate) Coo P 


--(SEND 

monadicLaw 2 oo {lu} {c 0 } P l m q = monadicl_aw 2 (forcep P) l m q 


--(SBEGINGlemtrPlustrterminateDef 

lemtr+trterminate : {lu : LUniv}(c 0 : Choice) —* (m : Maybe (ChoiceSet c 0 )) 

—» (P : Process+ oo {lu} cq) — >• ( l : List (Label lu)) —> 

( y : ChoiceSet (T P)) —)■ ( traux : Tr {lu} {co} l m (terminate (PT P y))) — 
lemtr+trterminate Co -(just (PT P y)) P .[] y (ter .(PT P y)) = terc y 
lemtr+trterminate c 0 .nothing P .[] y (empty .(PT P y)) = empty 


--(SEND 


mutual 

--@BEGIN@monadicLawtwoRDef 

monadicLaw 2 R : {lu : LUniv}{c 0 : Choice} (P : Process oo {lu} c 0 ) 

+ FE (P ^>= terminate) 


--(SEND 

monadicLaw 2 R {lu} {c 0 } (terminate x) l m xi = X{ 

monadicLaw 2 R {lu} {c 0 } (node x) l m (tnode tr) = tnode (monadicLaw 2 R + x l m tr) 


- -@BEGIN(SmonadicLawtwoRPlusDef 
monadicLaw 2 R + : {lu : LUniv}{co : Choice} (P : Process+ oo {lu} c 0 ) 


a 


o 
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-> P C+ (P S>=+ terminate) 


--SEND 

monadicLaw2R_|_ P .[] .nothing (empty {P = .(P 3 >=+ terminate)}) = empty 
monadicLaw2R-|_ P .(Lab P x :: l) m (extc {P = .(P ^>=+ terminate)} l .m x x\) = 

extc l m x (monadicLaw 2 Roo (PE P x) l m 
monadicLaw 2 R + {lu } {c 0 } P l m (into { P = ,(_S>=+_ {oo} { lu } {c 0 } {c 0 } P terminate)} A 

into l m x (monadicLaw 2 Roo (PI P x) l m : 
monadicLaw 2 R + {lu} {c 0 } P l m (into {P = ,(_S>=+_ {oo} {lu} {c 0 } {c 0 } P terminate)} A 
let 

s : Set 

s = Tr {lu} {co} l m (forcep (PI (_>>=+_ {oo} {lu} {c 0 } {c 0 } P terminate 

traux : Tr {lu} {c 0 } l m (terminate (PT P y)) 

traux = x\ 

in lemtr+trterminate cq m P l y traux 

monadicLawhR-i- {lu} {c 0 } P .[] .(just (PT (P 3>=+ terminate) a:)) (terc {P = .(P 3>=+ ter 


--@BEGIN@monadicLawtwoInfDef 

monadicLaw 2 Roo : {lu : LUniv}{c 0 : Choice} (P : Processoo oo {lu} c 0 ) 
—> P Too (P 3>=oo terminate) 


--(SEND 

monadicLaw 2 Roo {lu} {c 0 } P l m x = monadicLaw 2 R (forcep P {oo}) l m x 


--@BEGIN@monadicLawtwoEqDef 

=monadicLaw 2 : {lu : LUniv}{c 0 c\ : Choice} 

(P : Process oo {lu} c 0 ) 

—> P = (P 3>= terminate) 


--(SEND 

=monadicLaw 2 {lu} {c 0 } {ci} P = (monadicLaw 2 R P) , (monadicLaw 2 P) 


o 


-o 
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mutual 

--@BEGIN@monadicLawthreeDef 

monadicLaw 3 : {lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process oo {lu} cq) 

(Q : ChoiceSet c 0 —>■ Process oo {lu} c\) 

(R : ChoiceSet c\ —>■ Process oo {lu} c 2 ) 

-)> ((-P >= Q) >= A) E (P »= (\x-> Qx >= A )) 

--0END 

monadicLaw 3 (terminate x) Q R l m q = q 

monadicLaw 3 (node x ) Q R l m (tnode q) = tnode (monadicLaw 3+ x Q R l m q) 


--@BEGIN@monadicLawthreePlusDef 


monadicLaw 3+ : {lu : LUniv}{c 0 c\ c 2 : Choice} (P : Process+ oo {lu} c 0 ) 
(Q : ChoiceSet c 0 —)■ Process oo {lu} c 3 ) 

( R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

—)■ ((P 3>=+ (J) 3>=+ i?) C+ 

(P 3>=+ ( X x —> Q i 3>= i? )) 


--SEND 


monadicLaw 3+ 

monadicLaw 3+ 

monadicLaw 3+ 

monadicLaw 3+ 

monadicl_aw 3+ 


P Q R .[] .nothing empty = empty 
P Q R .(Lab P x :: l ) nn (extc l .m x x i) = 
extc l m x 

(monadicLawoo P Q R l x m x i) 

P Q R l m (intc .1 .m (inj 3 x) £ 1 ) = 
intc l m (inji (inji x)) 

(monadicLaw 3 oo (PI P x) Q R l m zi) 

P Q R l m (intc .1 .m (inj 2 y) x\) = 
intc l m (inji (inj 2 y)) 

(monadPT+ P Q R y l m X\) 

P Q R .[] .(just (PT 


a 


-o 
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(P ^>=+ (X x —>• Q x 3>= P)) x)) (terc x) = efq x 


--@BEGIN@monadicLawthreeInfDef 

monadicLaw 3 oo : {lu : LUniv}{c 0 C\ c 2 : Choice} ( P : Processoo oo { lu } c 0 ) 

(Q : ChoiceSet c 0 —> Process oo { lu } ci) 

(R : ChoiceSet c\ —> Process oo {/n} c 2 ) 

-> ((^ 3>=oo Q) 3>=oo P) Coo (P 3>=oo ( X a; —» Q x 3>= P )) 

--SEND 

monadicLaw 3 oo {lu} {c 0 } {c 3 } {c 2 } P Q R l m q = monadicLaw 3 (forcep P) Q R l m q 


--@BEGIN@monadPTDef 

monadPT+ : {lu : LUniv}{c 0 C\ c 2 : Choice}(P : Process+ oo {lu} c 0 ) 


(Q : ChoiceSet cq —> Process oo {lu} c\) 


(R 

: ChoiceSet c 3 —>• Process oo {/«} c 2 ) 

-> (?/ 

: ChoiceSet (T P)) 

-> (/ 

: List (Label lu)) 

—> (m 

: Maybe (ChoiceSet c 2 )) 

—)• (a: : 

Troo l m (PI (P 3>=+ (X x —* Q x 3>= R)) (inj 2 y))) 

—>■ 

Troo l m (PI (P 3>=+ Q) (inj 2 y) 3>=oo P) 

monadPT+ 

{/n} {cq} {ci} {c 2 } PQRylmtr= tr 


--(SEND 


- -@BEGIN(SmonadDownSizeDef 

monadDownSize : {lu : LUniv}(co c\ : Choice) (P : Process oo {lu} co)(Q : ChoiceSet Co —>■ 
—> (/ : List (Label lu) ) 

—> (m : Maybe (ChoiceSet ci)) 

—>■ Tr l m (_ 3 >=_ P Q ) 

—> Tr l m (_;§>=_ P Q ) 

monadDownSize Co ci (terminate x) Q l m tr = tr 

monadDownSize c 0 Ci (node x) Q l m (tnode = ./} {a; = .m} {P = ,(_S>=+_ x Q)} Xi) = 


--(SEND 


o 


-o 
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--@BEGIN(SmonadDownSizePlusDef 


monadDownSize+ : {lu 

->• 

->■ 

->• 


monadDownSize+ 

c 0 

Cl 

monadDownSize-l- 

Co 

Cl 

monadDownSize-l- 

Co 

Cl 

monadDownSize-l- 

Co 

Cl 

monadDownSize-l- 

c 0 

Cl 


: LUniv}(co ci : Choice) (P : Process+ oo {lu} c 0 )(Q : ChoiceSet c 0 —>• Proc 
(/ : List (Label lu)) 

(m : Maybe (ChoiceSet ci)) 

Tr+ l m (_>=+_ P Q ) 

Tr+ l m (_»=+_ P Q) 

q P .[] .nothing (empty {P = ,(_S>=+_ q P)}) = empty 

q P .(Lab q x :: l) m (extc {P = ,(_3>=+_ q P)} l .m x X\) = extc lmj;(m 

q P l m (intc {P = .(_3>=+_ q P)} .1 .m (inji x) a;i) = intc l m (inji x) (me 

q P l m (intc {P = .(_ 3 >=+_ q P)} .1 .m (inj 2 y) Xi) = intc l m (inj 2 y) (me 

q P .[] .(just (PT (_3>=+_ q P) x)) (terc {P = ,(_S>=+_ q P)} x) = efq x 


--(SEND 


--@BEGIN@monadDownSizePTDef 

monadDownSizePT : {lu : LUniv}(c 0 c\ : Choice) (P : Process-)- oo {lu} c 0 )(Q : ChoiceSet Co —>• Prc 
—>■ (y : ChoiceSet (T P)) 

—> (l : List (Label lu)) 

—>• (m : Maybe (ChoiceSet ci)) 

->• Troo l m (PI (_>=+_ P Q) (inj 2 y)) 

-)• Troo l m (PI (_>=+_ P Q) (inj 2 y)) 
monadDownSizePT c 0 c\ P Q y l m tr = tr 


--(SEND 


- -@BEGIN(SmonadDownSizeInf Def 

monadDownSizeoo : {lu : LUniv}(co c\ : Choice) (P : Processoo oo {lu} c 0 )(Q : ChoiceSet Co —> Pro 
—> (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet ci)) 

—y Troo l m (_^>=oo_ P Q) 

—> Troo l m (_3>=oo_ P Q) 
monadDownSizeoo cq c\ P Q l m tr = tr 


--(SEND 


- -@BEGIN(SmonadicLawInf Def 


a 


o 
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monadicLawoo : { lu : LUniv}{c 0 ci c 2 : Choice} (P : Process-P oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —» Process oo {lu} ci) 

( R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

—> ( l : List (Label lu)) 

—> ( x : ChoiceSet (E P)) 

—> (m : Maybe (ChoiceSet c 2 )) 

— > (xi : Troo l m (_3>=oo_ (PE P x) (A x 2 —* _3>=_ (Q x 2 ) R ))) 
— > Troo l m (_3>=oo_ (_3>=oo_ (PE P x) Q) R) 

--(SEND 

monadicLawoo PQRlxmtr= monadicLaw 3 (forcep (PE P x)) Q R l m tr 


mutual 

--(SBEGINGmonadicLawRThreeDef 


monadicLaw 3 R : {lu : LUniv}{c 0 c\ c 2 : Choice} ( P : Process oo {lu} c 0 ) 

( Q : ChoiceSet Co —>■ Process oo {lu} c 3 ) 

(R : ChoiceSet c\ —> Process oo {lu} c 2 ) 

-> (P >= ( X x -> Q x >= R )) C {{P >= Q) >= R) 

--(SEND 

monadicLaw 3 R {/n} {co} {ci} {c 2 } (terminate x) Q R l m x\ = x\ 

monadicLaw 3 R {lu} {c 0 } {r^} {c 2 } (node x) Q R l m (tnode x 3 ) = tnode (monadicLaw 3 R + a 


--(SBEGIN(SmonadicLawRPlusThreeDef 

monadicLaw 3 R + : {lu : LUniv}{c 0 c\ c 2 : Choice} ( P : Process-P oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —>■ Process oo {lu} c 3 ) 

(A : ChoiceSet c\ — > Process oo {/n} c 2 ) 

—P {P A > =+ ( X x —> Q X 3>= i? )) C-p ((i 3 3>=-p 7^=-p i?) 


--(SEND 

monadicLaw 3 R + {/n} {c 0 } {c 3 } {c 2 } P Q R .[] .nothing (empty {P 
= .(_>=+_ {oo} {lu} {ci} {c 2 } (_»=+_ {oo} {lu} {c 0 } {ci} P Q) R)}) = empty 


O 


-o 
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monadicLaw 3 R + { lu} {c 0 } {ci} {c 2 } P Q R .(Lab P x :: 1) m (extc {P 
= .(_»=+_ { 00 } {lu} { Cl } {c 2 } ( _ 3 >=+_ { 00 } {lu} {c 0 } {ci} P Q ) R )} l .m x x\) 

= extc l m x (monadicLaw 3 Rcx) (PE P x) Q R l m x 1 ) 
monadicLaw 3 R + {lu} {c 0 } {c 3 } {c 2 } P Q R l m (intc {P 
= .(_>=+_ { 00 } {lu} {ci} {c 2 } (_>=+_ {(X)} {lu} {c 0 } {ci} P Q ) R)} .1 .m (inji (inji x)) x x ) 

= intc l m (inji x) (monadicLaw 3 Roo (PI P x) Q R l m x\) 
monadicLaw 3 R + {lu} {c 0 } {ci} {c 2 } P Q R l m (intc {P 
= .(_>=+_ { 00 } {lu} {ci} {c 2 } (_>=+_ (ex)} {lu} {c 0 } {ci} P Q ) R)} .1 .m (inji (inj 2 y)) x±) 

= intc l m (inj 2 y) (monadPT+' P Q R y l m x 1 ) 
monadicLaw 3 R + {lu} {c 0 } {ci} {c 2 } P Q R l m (intc {P 
= .(-»=+- { 00 } {lu} {ci} {c 2 } (_>=+_ { 00 } {lu} {c 0 } {ci} P Q ) R)} .1 .m (inj 2 ()) xi) 
monadicLaw 3 R + {lu} {c 0 } {ci} {c 2 } P Q R .[] .(just (PT (_>=+_ (P >=+ Q) R) x)) 

(terc {P = .(_>=+_ (P >=+ Q) R)} x) 

= lemTrTerminateBind'” c 0 Ci c 2 P Q R x 


--@BEGIN@monadicLawTreeInfDef 

monadicLaw 3 Roo : {lu : LUniv}{co ci c 2 : Choice} (P : Processcxo 00 {lu} Co) 

(Q : ChoiceSet c 0 —> Process 00 {lu} ci) 

(R : ChoiceSet ci —>■ Process 00 {lu} c 2 ) 

(P 3>=oo ( X x -> Q x 3>= R )) Coo ((P 3>=oo Q) 3>=oo R) 


--(SEND 

monadicLaw 3 Roo {lu} {c 0 } {ci} {c 2 } P Q R l m q = monadicLaw 3 R (forcep P) Q R l m q 


--@BEGIN@monadPTplusDef 

monadPT+' : {lu : LUniv}{co ci c 2 : Choice}(P : Process-1- 00 {lu} co)(Q : ChoiceSet Co —>■ Process 
—> ( R : ChoiceSet ci —> Process 00 {lu} c 2 ) 

—> (y : ChoiceSet (T P)) 

—y (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c 2 )) 

—>■ {x : Troo l m (_3>=oo_ (PI (_3>=+_ P Q) (inj 2 y)) R)) 

—> Troo l m (PI (_»=+_ P (X x _»=_ (Q x) R)) (inj 2 y)) 
monadPT+’ {lu} {c 0 } {ci} {c 2 } PQRylmtr= tr 


--(SEND 


a 


-o 
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--@BEGIN@monadicLawEqThreeDef 

=monadicl_aw, 3 : { lu : LUniv}{c 0 c\ c 2 : Choice} 

(P : Process oo {lu} c 0 ) 

( Q : ChoiceSet c 0 —* Process oo {lu} ci) 

( R : ChoiceSet c 3 —> Process oo {lu} c 2 ) 

-> ((P >= £)>= R) = (P »= (X x -> Q x »= R)) 

--SEND 

=monadicLaw 3 {c 0 } {c 3 } {c 2 } P Q R = (monadicLaw 3 P Q R) , 

(monadicLaw 3 R P Q R) 


A.82 proofRefLaw.agda 


--@PREFIX@mainproofRefLaw 


module proofRefLaw where 

open import process 

open import Size 

open import choiceSetll 

open import Data.Product 

open import RefWithoutSize 

open import labelUniv 

open import traceEquivalence 


--@BEGIN@refProofTheo 

refljZ : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) —> P □ P 

transC : {lu : LUniv}{c : Choice}(F : Process oo {lu} c ) 

(Q : Process oo {lu} c ) 

(R : Process oo {lu} c)^P\PQ^Q\PR-^P\PR. 
antiSymjZ : {lu : LUniv}{c 0 : Choice} —>■ (P Q : Process oo {lu} c 0 ) 

^ P\Z Q Q\Z P ^ P= Q 


a 


-o 
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--(SEND 


--(SBEGIN(Sref Proof 

ref 1C P l m x = x 

transC P Q R PQ QR l m tr = PQ l m (QR l m tr ) 

antiSymC P Q PQ QP = PQ , QP 

--(SEND 


antiSymC' : {lu : LUniv}{co : Choice} — > (P Q : Process oo { lu } cq) —>• Set 
antiSymC' P Q = P Q x QE P 


A.83 proofRefLawFdiCorrected.agda 


--(SPREFIX(SmainproofRef LawFdiCorrected 
module proofRefLawFdiCorrected where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport Data.Maybe 

mport labelUniv 

mport fdiRefusal 

mport RefWithoutSize 

mport traceEquivalence 

mport Data.Product hiding (_x_) 

mport primitiveProcess 

mport auxData 

mport proof Ref Law 


=fdii : {lu : LUniv}{co : Choice} —t(PQ\ Process oo {lu} cq) —> Set 
P =fdii Q = (P Cfdii Q) x (Q Cfdii P) 

_=fdi 2 ros_ : {lu : LUniv}{c 0 : Choice} (P Q : Process oo {lu} c 0 ) —> Set 
P =fdi 2 ros Q = (P Cfdi 2 ros Q) x (Q Cfdi 2 ros P) 


a 


-o 
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--@BEGIN@proofRefITransFdiOne 

reflCfdii : {lu : LUniv}{c : Choice} 

( P : Process oo {lu} c) —* P CddC P 
reflCfdp P l divp = divp 

antiSymCfdii : {lu : LUniv}{co : Choice} 

—> (P Q : Process oo {lu} Co) —» P Cfdi Q 
—> Q Cfdi P —> P =fdi Q 
antiSymCfdi! P Q PQ QP = PQ ,, QP 

transCfdii : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) 

( Q : Process oo {lu} c) 

( R : Process oo {lu} c ) 

->■ P cfdii Q Q cfdii R ->• P cfdij R 
transCfdii P Q R PQ QR l divp = PQ l ( QR l divp ) 


--(SEND 


reflCfdi 2 : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) —> P Cfdi 2 ros P 
reflCfdi 2 P l cond fp = fp 

antiSymCfdi 2 : {lu : LUniv}{c 0 : Choice} 

—>• (P Q : Process oo {lu} Co) 

—> P Cfdi Q —> Q Cfdi P P =fdi Q 
antiSymCfdi 2 P Q PQ QP = PQ ,, QP 

transCfdi 2 : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) 

( Q : Process oo {lu} c) 

( R : Process oo {lu} c ) 

—> P Cfdi 2 ros Q —> Q Cfdi 2 ros R —^ P Cfdi 2 ros R 
transCfdi 2 P Q R PQ QR l cond fp = PQ l cond (QR l cond fp) 


o 


-o 
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reflCfdi 3 : {lu : LUniv}{c : Choice} 

( P : Process oo {lu} c) — > P Cfdi 3 P 
reflCfdi 3 P l fp = fp 

antiSymCfdi 3 : {lu : LUniv}{c 0 : Choice} 

—>• (P Q : Process oo {lu} c 0 ) 

—» P Cfdi Q —>• Q Cfdi P —>■ P =fdi Q 
antiSymCfdi 3 P Q PQ QP = PQ ,, QP 

transCfdi 3 : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) 

( Q : Process oo {lu} c) 

( R : Process oo {lu} c ) 

P Cfdi 3 Q -> Q Cfdi 3 R -► P Cfdi 3 R 
transCfdi 3 P Q R PQ QR l fp = PQ l (QR l fp) 


--@BEGIN@proofRefITransFdi 

reflCfdi : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) —* P Cfdi P 
reflCfdi P = ((ref I Cl P„ reflCfdix P) ,, reflCfdi 2 P) ,, reflCfdi 3 P 

antiSymCfdi : {lu : LUniv}{co : Choice} 

—>• (P Q : Process oo {lu} c 0 ) —> P Cfdi Q 
—» Q Cfdi P —» P =fdi Q 
antiSymCfdi P Q PQ QP = PQ „ QP 

transCfdi : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 

(Q : Process oo {lu} c) 

(R : Process oo {lu} c ) 

->• P cfdi Q Q cfdi R ->■ P cfdi R 
transCfdi P Q R {({PQ „ PQfdif) „ PQfdvf) „ PQfdiQj 
(((QR „ QRfdif) „ QRfdif) „ QRfdi 3 ) 

= ((( transC P Q R PQ QR 
,, transCfdix P Q R PQfdi\ QRfdR ) 

,, transCfdi 2 P Q R 1’Of d'/a QRfdi? ) 


o 


-o 
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,, transCfdi 3 P Q R PQfdi 3 QRfdi 3 ) 


--(SEND 


A. 84 proofRefLawFdiModified.agda 


--@PREFIX@mainproofRefLawFdiModified 
module proofRefLawFdiModified where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport Data.Maybe 

mport labelllniv 

mport fdiPart2 

mport RefWithoutSize 

mport traceEquivalence 

mport Data.Product hiding (_x_) 

mport primitiveProcess 

mport auxData 

mport proofRefLaw 


=fdii : {lu : LUniv}{co : Choice} —>• (P Q : Process oo {lu} Co) —> Set 
P =fdi! Q = (P Cfdii Q) x (Q Cfdi 3 P) 

_=fdi 9 _ : {lu : LUniv}{c n : Choice} (P Q \ Process oo Uu\ c n ) —> Set 
P =fdi 2 Q=(P ^fdi 2 Q) x (Q Cfdi 2 P) 


--(SBEGINOproofRef ITransFdiOne 

reflCfdii : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) —> P jZfdii P 
reflCfdii P l divp = divp 

antiSymCfdii : {lu : LUniv}{co : Choice} 


o 


-o 
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—> (P Q : Process oo { lu } Co) —>■ P Cfdi Q 
—» Q Cfdi P — » P =fdi Q 
antiSymCfdix P Q PQ QP = PQ ,, QP 

transCfdii : {lu : LUniv}{c : Choice} 

( P : Process oo {lu} c) 

(Q : Process oo {lu} c ) 

( R : Process oo {lu} c) 

P cfdii Q ->• Q cfdii R P cfdii R 
transCfdii P Q R PQ QR l divp = PQ l ( QR l divp) 


--0END 


reflCfdi 2 : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) —> P Cfdi 2 P 
reflCfdi 2 P l cond fp = fp 

antiSymCfdi 2 : {lu : LUniv}{co : Choice} 

—> (P Q : Process oo {lu} Co) 

—>• P Cfdi Q —>■ Q Cfdi P -» P =fdi Q 
antiSymCfdi 2 P Q PQ QP = PQ ,, QP 

transCfdi 2 : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c ) 

(Q : Process oo {lu} c ) 

(R : Process oo {lu} c ) 

P Cfdi 2 Q -4 Q Cfdi 2 R P Cfdi 2 R 
transCfdi 2 P Q R PQ QR l cond fp = PQ l cond (QR l cond fp) 


--@BEGIN@proofRefITransFdi 

reflCfdi : {lu : LUniv}{c : Choice} 

(P : Process oo {lu} c) — > P Cfdi P 
reflCfdi P = (reflC P ,, reflCfdii P ) ,, reflCfdi 2 P 

antiSymCfdi : {lu : LUniv}{c 0 : Choice} 

—)• (P Q : Process oo {/n} cq) —> P Cfdi Q 


a 
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—> Q Cfdi P —> P =fdi Q 
antiSymCfdi P Q PQ QP = PQ ,, QP 

transCfdi : {lu : LUniv}{c : Choice} 

( P : Process oo {lu} c) 

(Q : Process oo {lu} c ) 

(R : Process oo {lu} c ) 

->■ P cfdi Q ->■ Q cfdi R ->• P cfdi R 
transCfdi P Q R {{PQ „ PQfdii) ,, PQfdiq) 
{{QR „ QRfdii) „ QRfdi 2 ) 
= ( transC P Q R PQ QR 
,, transCfdii P Q R PQfdii QRfdii ) 

,, transCfdi ‘2 P Q R PQfdi 2 QRfdi 2 


--@END 


A.85 proofRenamingSkip.agda 


--@PREFIX@mainproofRenamingSkip 


module proofRenamingSkip where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport labelUniv 
mport TraceWithoutSize 
mport RefWithoutSize 
mport primitiveProcess 
mport renamingOperator 
mport traceEquivalence 
mport Data.Product 


--@BEGIN@unitRenameLaw 


o 


-o 
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unitRenameLaw : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—>• (A : Label lu —)■ Label lu) 

—> (P : Process i {lu} c 0 ) 

—>• Rename A (terminate a ) C (terminate a) 
unitRenameLaw aAPlmx=x 


unitRenameLawr : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
(A : Label lu —> Label lu) 

—> (P : Process i {lu} c 0 ) 

—>■ (terminate a) O Rename A (terminate a) 
unitRenameLawr aAPlmx=x 


--(SEND 


--@BEGIN@unitRenameLawTheo 

=unitRename : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
— )■ (A : Label lu —)■ Label lu) 

—>■ (P : Process i {lu} c 0 ) 

—>■ Rename A (terminate a) = (terminate a) 

--(SEND 


- -@BEGIN(SunitRenameLawTheoProof 

=unitRename a A P = (unitRenameLaw a A P) , (unitRenameLawr a A P) 


--(SEND 


A.86 proofSymExt.agda 


--(SPREFIXGmainproof SymExt 


module proofSymExt where 
open import process 
open import Size 


a 


-o 
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open import choiceSetl) 
open import Data.Maybe 
open import Data.Fin 
open import Data.List 
open import Data.Sum 
open import renamingResult 
open import TraceWithoutSize 
open import RefWithoutSize 
open import dataAuxFunction 
open import externalChoice 
open import addTick 
open import internalChoice 
open import lemFmap 
open import traceEquivalence 
open import Data.Product 
open import labelllniv 


mutual 

--@BEGIN@SymExCPDef 

sn+ : {lu : LUniv}{c 0 C\ : Choice} ( P : Process+ oo { lu } c 0 ) 

(Q : Process+ oo {lu} ci) 

-* (P □++ Q) C+ (fmap+ swapl±) (Q □++ P)) 

SD+ P Q .[] .nothing empty = empty 

SQ+ P Q .(Lab Q x :: l) m (extc l .m (inji x ) x\) = extc l m (inj 2 x) 
(lemFmapoo inji swapl±l (PE Q x) l m £ 1 ) 

SQ+ P Q .(Lab P y :: /) m (extc l .m (inj 2 y) X\) = extc l m (inji y) 
(lemFmapoo inj 2 swaptfcl (PE P y) l m X \) 

SD+ P Q l m (intc .1 .m (inji x) a;i) = intc l m (inj 2 x) 

(Sn+oo P (PI Q x) l m Xj ) 

SD+ P Q l m (intc .1 .m (inj 2 y) X \) = intc l m (inji y) 

(SDoo+ (PI P y) Q l m £ 1 ) 

SD+ P Q .[] .(just (inj 2 (PT Q x))) (terc (inji x)) = terc (inj 2 x) 

SD+ P Q ■[] -(just (inji (PT P y))) (terc (inj 2 y)) = terc (inji y) 

--(SEND 

SD+oo : {lu : LUniv}{c 0 C\ : Choice} 

-+ (P : Process+ 00 {lu} cq) 


O 


o 
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—> (Q : Processoo oo ci) 

—> Refoo ( P n+oo+ Q) (fmapoo swapl±) ( Q Hoo++ P)) 

Sn+oo P Q l m (tnode tr ) = tnode (Sn+p P (forcep Q ) l m tr) 

Sn+p : {lu : LUniv}{co c\ : Choice} 

-+ (P : Process+ 00 {lu} c 0 ) 

—> (Q : Process 00 C\) 

—> Ref+ ( P n+p+ Q) (fmap+ swapl+l (Q Dp++ P)) 

Sn+p P (terminate x) l m q = addTimeFmapLemma+ inj 2 swapl±l P (injx x) l m q 
Sn+p P (node Q ) l m q = Sd+ P Q l m q 


SDoo+ : {lu : LUniv}{co C\ : Choice} 

-+ (P : Processoo 00 c 0 ) 

-+ (Q : Process+ 00 {lu} c\) 

-+ Refoo (P Doo++ Q) (fmapoo swaptfcl ( Q D+oo+ P)) 

SDoo+ P Q l m (tnode tr) = tnode (Sdp+ (forcep P) Q l m tr) 

SDp+ : {lu : LUniv}{co c\ : Choice} 

—> (P : Process 00 cq) 

—> (Q : Process+ 00 {lu} c\) 

—> Ref+ ( P Dp++ Q) (fmap+ swaptt) ( Q n+p+ P)) 

SDp+ (terminate x) P l m q = addTimeFmapLemma+ inj x swapl±) P (inj 2 x) l m q 
Sdp+ (node Q) P l m q = SO+ Q P l m q 


mutual 

Sn+R : {lu : LUniv}{c 0 c\ : Choice} (P : Process+ 00 {lu} Co) (Q : Process+ 00 {lu} c\) 

-+ (fmap+ swapl±) (Q □++ P)) C+ (P □++ Q) 

Sn+R P Q .[] .nothing empty = empty 

Sn+R P Q .(Lab P x :: l) m (extc l .m (inj x x) £ 1 ) = extc l m (inj 2 x) (lemFmapooR inj 2 swaptt) (PE 

Sn+R P Q .(Lab Q y :: l) m (extc l .m (inj 2 y) a;i) = extc l m (inji y) (lemFmapooR injx swaptt) (PE 

Sn+R P Q l m (intc .1 .m (inji x) x\) = intc l m (inj 2 x) (Snoo+R (PI P x) Q l m x\) 

Sn+R P Q l m (intc .1 .m (inj 2 y) x\) = intc l m (inji y) (Sn+ooR P (PI Q y) l m x\) 

Sn+R P Q .[] .(just (inji (PT P x))) (terc (inji x)) = (terc (inj 2 x)) 

Sn+R P Q ■[] .(just (inj 2 (PT Q y))) (terc (inj 2 y)) = (terc (inji y)) 


O- 


o 
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Sd+ooR : {lu : LUniv}{c 0 C\ : Choice} 

—>■ (P : Process+ oo {lu} c 0 ) 

-+ (Q : Processoo oo ci) 

—> Refoo (fmapoo swapttl (Q doo++ P)) (P d+oo+ Q) 

Sd+ooR P Q l m (tnode tr ) = tnode (Sd+pR P (forcep Q) l m tr) 

Sd+pR : {lu : LUniv}{c 0 c\ : Choice} 

—>• (P : Process+ oo {lu} c 0 ) 

—> (Q : Process oo c\) 

-> Ref+ (fmap+ swapttl (Q dp++ P)) (P d+p+ Q ) 

Sd+pR P (terminate x) l m q = addTimeFmapLemma+R inj 2 swapttl P (inji x) l m q 
Sd+pR P (node Q ) l m q = Sd+R P Q l m q 


Sdoo+R : {lu : LUniv}{c 0 c\ : Choice} 

—> (P : Processoo oo Co) 

—> (Q : Process+ oo {lu} c\) 

—y Refoo (fmapoo swapttl (Q d+oo+ P)) (P doo++ Q ) 
Sdoo+R P Q l m (tnode tr) = tnode (Sdp+R (forcep P) Q l m tr) 


Sdp+R : {lu : LUniv}{co C\ : Choice} 

-+ (P : Process oo c 0 ) 

—?> (Q : Process+ oo {lu} c\) 

-+ Ref+ (fmap+ swapttl (Q d+p+ P)) [P dp++ Q) 

Sdp+R (terminate x) P l m q = addTimeFmapLemma+R inji swapttl P (inj 2 x) l m q 
Sdp+R (node Q) P l m q = Sd+R Q P l m q 


--@BEGIN@SymExCPEqDef 

= d+ : {lu : LUniv}{c 0 <+ : Choice} (P : Process+ oo {lu} c 0 ) 
(Q : Process+ oo {lu} ci) 

-+ {P □++ Q) =+ (fmap+ swapttl (Q d++ P)) 

= □+ P Q = Sd+ P Q , Sd+R P Q 


--@END 


o- 


o 
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A.87 proofSymlnterleaving.agda 


--@PREFIX@mainproofSymlnterleaving 
module proofSymlnterleaving where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport lemFmap 
mport auxData 
mport Data.Product 
mport interleave 
mport traceEquivalence 
mport Data.Product 
mport labelUniv 


mutual 

--@BEGIN@interleavProofCDef 

S||| + : {lu : LUniv}{c 0 C\ : Choice} (P : Process+ oo { lu } cq) 
(Q : Process+ oo {lu} ci) 

—> (.P 111-f—|- Q ) CE+ (fmap+ swapx ( Q 11|-f—f- P)) 

S|||+ P Q .[] .nothing empty = empty 
S|||+ P Q .(Lab Q x :: l) m (extc l .m (inji x ) q ) = 
extc l m (inj 2 z)(S|||+oo P (PE Q x) l m q) 

S|||+ P Q .(Lab P x :: /) m (extc l .m (inj 2 x) q ) = 
extc l m (injx a;)(S|||oo+ (PE P x) Q l m q) 

S|||+ P Q l m (intc .1 .m (injx x) q) = 

intc l m (inj 2 x)(Sj||+oo P (PI Q x) l m q) 


O- 


O 
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S|||+ P Q l m (intc .1 .m (inj 2 x ) q ) = 

intc l m (inji a;)(S|||oo+ (PI P x) Q l m q) 

S|||+ P Q .[] .(just (PT P x „ PT Q y)) (terc (y „ x)) = 
terc (x „ y) 


--(SEND 


S||j : {lu : LUniv}{c 0 C\ : Choice} —> (P : Process oo { lu } c 0 ) 

—>• (Q : Process oo {lu} c\) 

—> (P HI Q) □ (fmap swapx (Q ||| P)) 

S||| (terminate x) (terminate x’) l m q = q 
S||| (terminate x) (node P ) l m (tnode q) = 

tnode (lemFmap+ (X a —>■ a „ x) swapx P l m q) 

S||| (node P ) (terminate x) l m (tnode q) = 

tnode (lemFmap-l- (_,,_ x) swapx P l m q) 

S||| (node P) (node Q ) l m (tnode q) = tnode (S|||+ P Q l m q) 

S|||+p : {lu : LUniv}{c 0 C\ : Choice} 

—>• (P : Process-F oo {lu} c 0 ) 

—)• (Q : Process oo ci) 

—>■ Ref+ (P |||+p Q)(fmap+ swapx (Q |||p+ P)) 

S|||+p P (terminate x) l m q = lemFmap-p (_,, x) swapx P l m q 
S|||+p P (node Q ) l m q = S|11+ P Q l m q 


S||jp+ : {lu : LUniv}{c 0 c\ : Choice} 

—> ( P : Process oo {lu} cq) 

—> (Q : Process-F oo {lu} ci) 

—y Ref+ (P |||p+ Q) (fmap+ swapx ( Q |||+p P)) 

S|||p+ (terminate x) Q l m q = lemFmap-p (X a —» a ,, x) swapx Q l m q 
S|||p+ (node P) Q l m q = S|||-F P Q l m q 

S|||+oo : {lu : LUniv}{co c\ : Choice} 

-+ ( P : Process+ oo {lu} c 0 ) 

-> (Q : Processoo oo ci) 

+• Refoo (P j ||+oo Q ) (fmapoo swapx ( Q |||oo+ P)) 

S11|+oo P Q l m (tnode tr ) = tnode (S|||+p P (forcep Q) l m tr ) 


a 


S111oo+ : {lu : LUniv}{c 0 C\ : Choice} 
-+ (P : Processoo oo {lu} cq) 


-o 
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—>■ (Q : Process+ oo c\) 

—» Refoo (P |||oo+ Q) (fmapoo swapx (Q |||+oo P)) 
S|||oo+ P Q l m (tnode tr) = tnode (S|||p+ (forcep P) Q l m tr ) 


mutual 

S||| + R : {lu : LUniv}{c 0 c\ : Choice} — y (P : Process+ oo {lu } Co) —>• (Q : Process+ oo { lu } c\) 

—> (fmap+ swapx {Q |||H—F P)) ++ (P |||H—P Q) 

S||| + R P Q .[] .nothing empty = empty 

S||| + R P Q .(Lab P x :: l) m (extc l .m (i nj x x) X\) = extc l m ( inj 2 x ) (S||joo+R (PE P x) Q l m x i) 

S||| + R P Q .(Lab Q y :: /) m (extc l .m (inj 2 y) Xi) = extc l m (injx y) (S|||+ooR P (PE Q y) l m X\) 

S||| + R P Q l m (intc ./ .m (inji x) x\) = intc l m (inj 2 x) (S|||oo+R (PI P x) Q l m x i) 

S||| + R P Q l m (intc .1 .m (inj 2 y) xi) = intc l m (inji y) (S|||+ooR P (PI Q y) l m a^) 

S|jj + R P Q .[] .(just (PT P x „ PT Q xi)) (terc (x „ xi)) = terc {x\ „ x) 

S111R : {lu : LUniv}{co ci : Choice} — >■ (P : Process oo {lu} cq) —> (Q : Process oo {lu} ci) 

—>• (fmap swapx (Q ||| P)) jZ (P ||| Q) 

S111R (terminate x) (terminate x’) l m q = q 

S111R (terminate x) (node P) l m (tnode q) = tnode (lemFmap+R (X a —> a „ x) swapx P l m q) 

S111R (node P) (terminate x) l m (tnode q) = tnode (lemFmap+R (_,,_ x) swapx P l m q) 

S111R (node P) (node Q) l m (tnode q) = tnode (S||| + R P Q l m q) 

S|||+pR : {lu : LUniv}{c 0 C\ : Choice} 

—> (P : Process+ oo {lu} c 0 ) 

—> (Q : Process oo <+) 

-t Ref+ (fmap+ swapx (Q |jjp+ P)) (P |||+p Q) 

S|||+pR P (terminate x) l m q— lemFmap+R (_,,_ x) swapx P l m q 
S|||+pR P (node Q) l m q = S||| + R P Q l m q 

S111p+R : {lu : LUniv}{co ci : Choice} 

—> (P : Process oo {lu} Co) 

—> (Q : Process+ oo {lu} ci) 

-+ Ref+ (fmap+ swapx (Q |||+p P)) (P |||p+ Q) 

S111p+R (terminate x) Q l m q = lemFmap+R (X a —> a ,, x) swapx Q l m q 
S111p+R (node P) Q l m q = S||| + R P Q l m q 


a 


-o 
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S|||+ooR : {lu : LUniv}{c 0 c\ : Choice} 

—>• (P : Process+ oo {lu} c 0 ) 

—>• (Q : Processoo oo Ci) 

—>• Refoo (fmapoo swapx ( Q |||oo+ P )) ( P |||+oo Q) 
S|||+ooR P Q l m (tnode tr) = tnode (S|||+pR P (forcep Q) l m tr) 


S|||oo+R : {/it : LUniv}{c 0 c\ : Choice} 

—)• (F : Processoo oo {lu} Co) 

—> (Q : Process+ oo ci) 

—)■ Refoo (fmapoo swapx (Q |||+oo P)) (P ||joo+ Q ) 
S|||oo+R P Q l m (tnode tr) = tnode (S|j|p+R (forcep P) Q l m tr) 


--@BEGIN@interleavProofCEqDef 

=S|||+ : {lu : LUniv}{c 0 c\ : Choice} (P : Process+ oo {lu} c 0 ) 
(Q : Process+ oo {lu} ci) 

—> (P |||d—|- Q) =+ (fmap+ swapx ( Q |||H—f- P)) 

=S|||+ PQ= (S|||+ PQ) , (S|||+R P Q) 


--0END 


A. 88 proofSymlnterleavingTheoOnly.agda 


--@PREFIX@mainproofSymlnterleavingTheoOnly 
module proofSymlnterleavingTheoOnly where 


open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport renamingResult 
mport TraceWithoutSize 


o 


-o 
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open import RefWithoutSize 
open import lemFmap 
open import auxData 
open import Data.Product 
open import interleave 
open import traceEquivalence 
open import Data.Product 
open import labelUniv 


mutual 

--@BEGIN@interleavProofCDef 

S|||+ : {lu : LUniv}{co c\ : Choice} (P : Process+ oo { lu } Co) 
(Q : Process+ oo {lu} c\) 

->■ (P |||++ Q) (fmap+ swapx (Q |||++ P)) 

S|||+ P Q .[] .nothing empty = empty 
S|||+ P Q .(Lab Q x :: /) m (extc l .m (inji x) q ) = 
extc l m (inj 2 x)(S|||+oo P (PE Q x) l m q) 

S|||+ P Q .(Lab P x I ) m (extc l .m (inj 2 x) q) = 

extc l m (injx x)(Sj||oo+ (PE P x) Q l m q) 

S|||+ P Q l m (intc .1 .m (injx x) q) = 

intc l m (inj 2 x)(S|||+oo P (PI Q x) l m q) 

S|||+ P Q l m (intc .1 .m (inj 2 x) q) = 

intc l m (injx x)(S|||oo+ (PI P x) Q l m q) 

S|||+ P Q .[] .(just (PT P x „ PT Q y)) (terc (y „ x)) = 
terc (x „ y) 


--0END 


S||| : {lu : LUniv}{co ex : Choice} — > (P : Process oo {lu} cq) 

—> (Q : Process oo {lu} cx) 

—:>■ (P HI Q) C (fmap swapx ( Q ||| P)) 

S||| (terminate x) (terminate x’) l m q = q 
S||| (terminate x) (node P) l m (tnode q) = 

tnode (lemFmap+ (X a — » a ,, x) swapx P l m q) 

S||| (node P) (terminate x) l m (tnode q) = 

tnode (lemFmap+ (_,,_ x) swapx P l m q) 

S||| (node P) (node Q) l m (tnode q) = tnode (S|||+ P Q l m q) 


a 
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S|||+p : {lu : LUniv}{c 0 c x : Choice} 

—>• (P : Process+ oo {lu} c 0 ) 

—)• (<5 : Process oo Ci) 

—> Ref+ (P lll+p Q)(fmap+ swapx ( Q |||p+ P)) 

S|||+p P (terminate x) l m q = lemFmap+ (^, x) swapx P l m q 
S|||+p P (node Q ) l m q = S|11+ P Q l m q 


: {lu : LUniv}{co c\ : Choice} 

—y (P : Process oo {lu} c 0 ) 

-> (Q : Process+ oo {lu} c x ) 

—y Ref+ (P |||p+ Q ) (fmap+ swapx (Q |j|+p P)) 

(terminate x ) Q l m q = lemFmap+ (X a —*■ a ,, x) swapx Q l m q 
(node P ) Q l m q = S|11+ P Q l m q 

S|||+oo : {lu : LUniv}{co c\ : Choice} 

—>■ (P : Process+ oo {lu} c 0 ) 

—> (Q : Processoo oo Ci) 

—>■ Refoo (P Hl+oo Q ) (fmapoo swapx (Q |||oo+ P)) 

S11|+oo P Q l m (tnode tr ) = tnode (S|||+p P (forcep Q ) l m tr ) 


S| 11 p+ 

S| 11 p+ 
S|jjp+ 


S|||oo+ : {/ri : LUniv}{c 0 Ci : Choice} 

—^ (P : Processoo oo {lu} c 0 ) 

—v (Q : Process+ oo ci) 

—)■ Refoo (P j ||oo+ Q ) (fmapoo swapx (Q |||+oo P)) 
S|||oo+ P Q l m (tnode tr) = tnode (S|||p+ (forcep P) Q l m tr) 


mutual 

S||| + R : {lu : LUniv}{c 0 C\ : Choice} — > (P : Process+ oo {/?x} c 0 ) —> (Q : Process+ oo {/w 
-+ (fmap+ swapx (<3 |||++ P)) ^+ (P |||++ <5) 

S||| + R P Q -0 -nothing empty = empty 

S|jj + R P Q -(Lab P x :: l) m (extc l .m (inji x) x'i) = extc l m (inj 2 x) (S|||oo+R (PE Pi) ( 

S|jj + R P Q .(Lab Q y :: l) m (extc l .m (inj 2 y) Xi) = extc l m (inj x y) (Sj||+ooR P (PE Q y 

S||| + R P Q l m (intc .1 .m (inj x x) X\) = intc l m (inj 2 x) (S|||oo+R (PI P x) Q l m x x ) 

S||| + R P Q l m (intc .1 .m (inj 2 y) x x ) = intc l m (inj x y) (S|j|+ooR P (PI Q y) l m x x ) 


o 


-o 
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S|||+R P Q .[] .(just (PT Px„ PT Q £1)) (terc (x „ a;i)) = terc (xi „ x) 


S111R : {lu : LUniv}{c 0 C\ : Choice} — >■ (P : Process 00 { lu } c 0 ) —>• (Q : Process 00 {lu} ci) 

—» (fmap swapx (Q ||| P)) jZ (P ||| Q) 

S111R (terminate x) (terminate x’) l m q = q 

S111R (terminate x) (node P) l m (tnode q) = tnode (lemFmap+R (X a —> a ,, x) swapx P l m q) 
S111R (node P) (terminate x) l m (tnode q) = tnode (lemFmap+R (_,,_ x) swapx P l m q) 

S111R (node P) (node Q ) l m (tnode q) = tnode (S||| + R P Q l m q) 

S|||+pR : {lu : LUniv}{c 0 c\ : Choice} 

—>■ (P : Process+ 00 {lu} c 0 ) 

—>■ (Q : Process 00 C\) 

-+ Ref+ (fmap+ swapx (Q |||p+ P)) (P |||+p Q) 

S|||+pR P (terminate x) l m q = lemFmap+R (_,,_ x) swapx P l m q 
S|||+pR P (node Q) l m q = S||| + R P Q l m q 

S1 11 p+R : {lu \ LUniv}{c 0 c\ : Choice} 

—>■ (P : Process 00 {lu} Co) 

—>■ (Q : Process+ 00 {lu} c\) 

-+ Ref+ (fmap+ swapx (Q |||+p P)) ( P |||p+ Q) 

S1 11 p+R (terminate x) Q l m q = lemFmap+R (X a —>■ a „ x) swapx Q l m q 
S111p+R (node P) Q l m q = S||| + R P Q l m q 

S111+ 00 R : {lu : LUniv}{c 0 <+ : Choice} 

—> (P : Process+ 00 {lu} c 0 ) 

—> (Q : Processoo 00 ci) 

—> Refoo (fmapoo swapx (Q 111 00 + P)) (P |j | +00 Q) 

S1 11 + 00 R P Q l m (tnode tr ) = tnode (S|||+pR P (forcep Q) l m tr ) 

S|||oo+R : {lu : LUniv}{c 0 c\ : Choice} 

—>■ (P : Processoo 00 {lu} c 0 ) 

—> (Q : Process+ 00 c\) 

—» Refoo (fmapoo swapx (Q 111 +00 P)) ( P |||oo+ Q) 

S111 00 +R P Q l m (tnode tr) = tnode (S111 p+R (forcep P) Q l m tr) 


- -@BEGIN@interleavProofCEqDef 


a 


-o 
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=S|||+ : {lu : LUniv}{c 0 C\ : Choice} 

(P : Process-1- oo {lu} c 0 ) 

(Q : Process-1- oo {lu} c\) 

->• (P |||++ Q) =+ (fmap+ swapx (Q |||++ P)) 


--(SEND 

=S|||+ PQ= (S|||+ PQ) , (S|||+R P Q) 

A.89 proofSymParPartone.agda 


--@PREFIX@mainproofSymParPartone 
module proofSymParPartone where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport lemFmap 
mport auxData 
mport labelUniv 
mport parallelSimple 
mport restrict 

mport Data.Bool.Base renaming (T to T') 
mport auxLemmaPar 


mutual 

--OBEGINOSymParPlusDef 

S[||]+ : {lu : LUniv}{c 0 C\ : Choice} (P : Process-)- oo {lu} c 0 ) 
(A B : Label lu Bool) 


a 


-o 
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( Q : Process+ oo {lu } cy) 

-t (P [ A ]|| + [ B ] Q) C+ fmap+ swapx (( Q [ B ]|| + [ A ] P)) 

S[(|]+ P A B Q .[] .nothing empty = empty 

S[||]+ P A B Q .(Lab Q a :: /) m (extc l .m (inji (inji (sub a a:))) ay) = 
extc l m (inji (inj 2 (sub a a;))) (S[||]+oo P A B (PE Q a) l m ay) 
S[||]+ P A B Q .(Lab P a :: /) m (extc l .m (injx (inj 2 (sub a a:))) a;i) = 
extc l m (inji (inji (sub o ^))) (S[||]oo+ (PE P a) ABQlmx i) 

S[| |]+ {lu} P A B Q .(Lab Q x :: /) m (extc l .m (inj 2 (sub (x ,, a:i) x 2 )) x 3 ) 

let 

Ixlx i : T’ (Lab Q x ==l Lab P x\) 

Ixlx i = lemmaBool (Lab Q x ==l Lab P x\) 

( B (Lab Q x) A A (Lab P a^)) a; 2 

BQx : T’ ( B (Lab Q x)) 

BQx = lemmaBool ( B (Lab Q x)) (A (Lab P aii)) 
(lemmaBooIR ((Lab Q x ==l Lab P aii)) 

( B (Lab Q x) A A (Lab P a^)) x 2 ) 

APx i : T’ (A (Lab Pxi)) 

APx i = lemmaBool' ((Lab Q x ==l Lab P aii)) 

( B (Lab Q x)) (A (Lab P x±)) x 2 

lxilx : T’ (Lab P a;i ==l Lab Q x) 

lxilx = sym==l {lu} {Lab Q x} {Lab P a;i} Ixlx i 


x 2 ’ : T’ ((Lab P ay ==l Lab Q x) 

A A (Lab P ay) A B (Lab Q x)) 
x 2 ’ = lemmaBool” (Lab Pay ==l Lab Q x) 

(A(Lab P ay)) (B (Lab Q x)) 
lx\ lx APx i BQx 


auxproof : Tr+ (Lab Pay :: l) m 
(P[A]\\+[B]Q) 

auxproof = extc l m (inj 2 (sub (ay ,, x) x 2 ’)) 

(S[| |]oooo (PE P ay) A B (PE Q x) l m x 3 ) 


a 


auxproof ’: Tr+ (Lab Q x :: l) m (P [ A ]\\ + [ B ] Q) 


-o 
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auxproof ’ = transfLu {lu} (A V —>■ Tr+ (P :: 1) 
m (P [ A ]|| + [ B ] Q)){Lab P ay} 
{Lab Q x} h\lx auxproof 

in auxproof’ 


S[| | \+ P A B Q l m (intc .1 .m (injx x) ay) = 

intc l m (inj 2 x) (S[||]+oo P A B (PI Q x) l m ay) 

S[| | ]+ P A B Q l m (intc .1 .m (inj 2 y) ay) = 

intc l m (inji y) (S[||]oo+ (PI P y) A B Qlm zi) 

S[||]+ P A B Q .[] .(just (PT P x i ,, PT Q x)) (terc (x „ ay)) = terc (ay ,, x) 

--(SEND 


S[||]+oo : {lu : LUniv}{c 0 fy : Choice} 

—>• ( P : Process-1- oo {lu} c 0 ) 

—y {A B : Label lu — > Bool) 

—> (Q : Processoo oo cy) 

—> Refoo ( P [ A ]||+oo[ B ] Q) (fmapoo swapx ((Q [ B ]||oo+[ A ] P))) 
S[||]+oo P A B Q l m (tnode tr) = tnode (S[||]+p P A B (forcep Q) l m tr) 


S[||]oo+ : {lu : LUniv}{c 0 ty : Choice} 

—> (P : Processoo oo c 0 ) 

—y (A B \ Label lu —^ Bool) 

—>■ (Q : Process-1- oo {lu} c\) 

—> Refoo (P [ A ]||oo+[ B ] Q ) (fmapoo swapx ((Q [ B ]||+oo[ A ] P))) 
S[||]oo+ P A B Q l m (tnode tr) = tnode (S[||]p+ (forcep P) A B Q l m tr) 

S[||]oooo : {lu : LUniv}{c 0 c\ : Choice} 

—> (P : Processoo oo cq) 

(A B \ Label lu — y Bool) 

—> (Q : Processoo oo cf) 

—y Refoo (P [ A ]||oo[ B ] Q) (fmapoo swapx ((Q [ B ]||oo[ A ] P))) 

S[| |]oooo P A B Qlm tr = S[| |]pp ((forcep P)) A B (forcep Q) l m tr 

S[||]pp : {lu : LUniv}{c 0 ry : Choice} 

—> ( P : Process oo c 0 ) 

—» {A B : Label lu —> Bool) 


a 


-o 
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—> (Q : Process oo ci) 

->• Ref (P [ A ]||[ B \ Q) (fmap swapx ((Q [ 5]||[ A ] P))) 

S[||]pp (terminate p) A B (terminate q) .[] .(just (p „ q)) (ter .(p ,, q)) = ter (p ,, q) 

S[||]pp (terminate p) A B (terminate q) .[] .nothing (empty .(p ,, q)) = empty (p ,, q) 

S[||]pp (terminate p) A B (node q) .[] .nothing (tnode empty) = tnode empty 

S[||]pp (terminate p) A B (node q) .(Lab q a :: /) m (tnode (extc l .m (sub a x) ay)) = 

tnode (extc l m (sub a x) (lemFmapoo (X eti — > ay ,, p) 
swapx (PE (q (+ (B \ A)) (sub ax)) l m ay)) 

S[| |]pp (terminate p) A B (node q) l m (tnode (intc .1 .m x ay)) = 

tnode (intc l m x (lemFmapoo (X a —> a ,, p) 
swapx (PI (q (+ (B \ A)) x) l m xi)) 

S[||]pp (terminate p) A B (node q) .[] .(just (p „ PT q x)) (tnode (terc x)) = tnode (terc x) 

S[||]pp (node p) A B (terminate q) .[] .nothing (tnode empty) = tnode empty 

S[||]pp (node p) A B (terminate q) .(Lab p a :: /) m (tnode (extc l .m (sub a x) £ 1 )) = 

tnode (extc l m (sub a x) 

(lemFmapoo (_,,_ q) swapx 
(PE (p \+ (A \ B)) (sub ax)) l m x\)) 

S[| |]pp (node p) A B (terminate q) l m (tnode (intc .1 .m x £i)) = 

tnode (intc l m x 

(lemFmapoo (_,,_ q) swapx (PI (p (+ (A \ B)) x) l m a 
S[||]pp (node p) A B (terminate q) .[] .(just (PT p x „ q)) (tnode (terc x)) = tnode (terc x) 

S[||]pp (node p) A B (node q) .[] .nothing (tnode empty) = tnode empty 

S[||]pp (node p) A B (node q) .(Lab q a :: /) m (tnode (extc l .m (inji (inji (sub a x))) xi)) = 

tnode (extc l m (inji (inj 2 (sub a x))) 

(S[||]+oo p A B (PE q a) l m Zi)) 

S[||]pp (node p) A B (node q) .(Lab p a :: /) m (tnode (extc l .m (inji (inj 2 (sub a x))) xi)) = 

tnode (extc l m (inji (inji (sub a x))) 

(S[||]oo+ (PE p a) A B q l m ay)) 

S[||]pp { lu } (node p) A B (node q) .(Lab q x :: l) m 

(tnode (extc l .m (inj 2 (sub [x „ X]_) ay)) x 3 )) = let 


Ixlx : T’ (Lab q x ==l Lab p ay) 

Ixlx = lemmaBool (Lab q x ==l Lab p ay) 

(B (Lab q x) 

A A (Lab p ay)) ay 


BQx : T’ (B (Lab q x)) 

BQx = lemmaBool (B (Lab q x)) 

(A (Lab p ay)) 

(lemmaBooIR 

((Lab q x ==\ Lab p xi)) 


o- 


o 
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(B (Lab q x) A 

A (Lab p £ 1 )) x 2 ) 


APx 1 : T’ (A (Lab p xi)) 

APx 1 = lemmaBool’ ((Lab q x ==l Lab p xi)) 

( B (Lab q x)) 

(A (Lab p £ 1 )) X 2 

lx\lx : T' (Lab p x\ ==l Lab q x) 

lx\lx = sym==l { lu } {Lab q x} {Lab p Xi\ Ixlx 

X 2 ’: T' ((Lab p x\ ==l Lab q x) 

A A (Lab p £ 1 ) 

A B (Lab q x)) 
x 2 ’ = lemmaBool” 

((Lab p x\ ==l Lab q x)) 

{A (Lab p X!)) 

( B (Lab q x)) 

Ixilx APx\ BQx 

auxproof : Tr+ (Lab p x 1 :: l) 

m (p [ A ]|| + [ B] q) 
auxproof = extc l m (inj 2 (sub (xi ,, x) 

V)) 

(S[||]oooo (PE p x\) 

A B (PE q x) l m X 3 ) 


auxproof ’ : Tr+ (Lab q x :: l ) m 

(P [ A lll + [ B] q) 

auxproof’ = transfLu {lu} (X l’ —> Tr+ (P :: l ) 
m(p [ A ]|| + [ B] q)) 

{Lab p Xi} 

{Lab q x} Ixilx 
auxproof 

in (tnode auxproof’) 

S[||]pp (node p) A B (node q) l m (tnode (into .1 .m (injx x) Xi)) = tnode (into l m (inj 2 x) (! 
S[||]pp (node p) A B (node q) l m (tnode (into .1 .m (inj 2 y) xi)) = tnode ( (into l m (inji y) 


<y 


-o 
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S[(|]pp (node p) A B (node q ) .[] -(just (PT p x\ ,, PT q x )) (tnode (terc (x „ rci))) = tnode (terc (xi 


S[||]+p : {lu : LUniv}{c 0 Ci : Choice} 

—>• (P : Process+ oo {lu} c 0 ) 

—y (A B : Label lu —> Bool) 

—> (Q : Process oo ci) 

->■ Ref+ (P [ A ]||+p[ B ] Q ) (fmap+ swapx ((Q [ 5 ]||p+[ A ] P))) 

S[||]+p P A B (terminate x) l m q = lemFmap+ (_,,_ x) swapx (P (+ (A \ B)) l m q 
S[||]+p P A B (node Q ) l m q = S[[|]+ P A B Q l m q 


S[||]p+ : {lu : LUniv}{c 0 ci : Choice} 

—>■ (P : Process oo c 0 ) 

—> (A B : Label lu —> Bool) 

—> (Q : Process+ oo {lu} c\) 

->■ Ref+ (P [ A ]||p+[ B ] Q)(fmap+ swapx (( Q [ B ]||+p[ A ] P))) 

S[||]p+ (terminate x) Q l m q = lemFmap+ (X a — * a ,, x) swapx (m (+ (l \ Q )) q 
S[||]p+ (node P ) Q l m q = S[||]+ P Q l m q 

A.90 proofSymParR.agda 


--@PREFIX@mainproofSymParR 


module proofSymParR where 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


mport process 
mport Size 
mport choiceSetU 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport lemFmap 
mport auxData 
mport para I lelSim pie 


-o 
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open import Data.Bool.Base renaming (T to T') 

open import restrict 

open import auxLemmaPar 

open import labelUniv 


mutual 

--@BEGIN@natDef 

S[||] + R : {lu : LUniv}{c 0 c\ : Choice} (P : Process+ oo { lu} c 0 ) 

(A B : Label lu —>■ Bool) (Q : Process+ oo {lu} c\) 

-> fmap+ swapx ((Q [ B ]|| + [ A ] P )) C+ (P [ A ]|| + [ B ] Q) 

S[||] + R P A B Q .[] .nothing empty = empty 

S[||] + R P A B Q .(Lab P a :: /) m (extc l .m (inji (inji (sub a x ))) x\) = extc l m (inji (inj 2 

S[||] + R P A B Q .(Lab Q a :: /) m (extc l .m (inji (inj 2 (sub a x))) x{) = extc l m (inji (inji 

S[| |] + R {lu} P A B Q .(Lab P x :: l) m (extc l .m (inj 2 (sub (x ,, x\) x 2 )) x 3) = let 

Ixlx 1 : T’ (Lab P x ==l Lab Q x\) 

Ixlx 1 = lemmaBool (Lab P x ==\ Lab Q x 1 ) 

(A (Lab P x) A B (Lab Q xi)) x 2 


BQx : T’ (B (Lab Q a*)) 

BQx = lemmaBool’ (Lab P x ==l Lab Q X \) 

(A (Lab P x)) (B (Lab Q xi)) Xo. 


APx 1 : T (A (Lab P x)) 

APx 1 = lemmaBool (A (Lab P x)) ( B (Lab Q xi)) 

(lemmaBooIR (Lab P x ==l Lab Q xi) 

(A (Lab P x) A B (Lab Q xi)) x 2 ) 

lx\lx : T’ (Lab Q xi ==l Lab P x) 

lx\lx = sym==l {lu} {Lab P x} {Lab Q xi} Ixlx 1 

X 2 ’: T’ ((Lab Q x\ ==l Lab P x) A B (Lab Q xi) A A (Lab P x)) 

X 2 ’ = lemmaBool” ((Lab Q xi ==l Lab P x)) 

( B (Lab Q xi)) (A (Lab P x)) h\lx BQx APx 1 

auxproof : Tr+ (Lab Q Xi :: 1) m 

(fmap+ swapx (Q [ B ]|| + [ A ] P)) 
auxproof = extc l m (inj 2 (sub (xi ,, x) x^’)) 

(S[||] 0000 R (PE P x) A B (PE Q x i) l m x%) 


o 


o 
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auxproof ’ : Tr+ ( La b P x :: l) m 

(fmap+ swapx (Q [ B ]||+[ A ] P )) 
auxproof’ = transfLu { lu } (A 1’ —> Tr+ (P :: l) m 

(fmap+ swapx (Q [ B ]|| + [ A ] P))) 

{Lab Q x i} {Lab Pi} Ix^lx auxproof 

in auxproof’ 

S[||] + R P A B Q l m (intc .1 .m (inji x) x\) = intc l m (inj 2 x) (S[||]oo+R (PI Pi) A B Q l m x i) 
S[||]+R PABQl m (intc .1 .m (inj 2 y) xi) = intc l m (inji y) (S[||]+ooR P A B (PI Q y) l m x\) 
S[||] + R P A B Q .[] .(just (PT P x „ PT Q xi)) (terc (x „ xi)) = terc ( (xi „ x)) 


--(SEND 

S[||]+ooR : {lu : LUniv}{c 0 c\ : Choice} 

—>■ (P : Process-1- oo {lu} c 0 ) 

—)• (A B : Label lu —y Bool) 

—)■ (Q : Processoo oo {lu} ci) 

—)• Refoo (fmapoo swapx ((Q [ B ]||oo+[ A ] P))) (P [ A ]||+oo[ B ] Q ) 
S[||]+ooR P A B Q l m (tnode tr) = tnode (S[||]+pR P A B (forcep Q ) l m tr ) 


S[||]oo+R : {lu : LUniv}{c 0 C\ : Choice} 

—> (P : Processoo oo {lu} c 0 ) 

—>■ (A B : Label lu —> Bool) 

—y (Q : Process-)- oo {lu} ci) 

—> Refoo (fmapoo swapx ((Q [ B ]||+oo[ A ] P))) (P [ A ]||oo+[ B ] Q ) 
S[||]oo+R P A B Q l m (tnode tr) = tnode (S[||]p+R (forcep P) A B Q l m tr) 


S[||]+pR : {lu : LUniv}{c 0 C\ : Choice} 

— y ( P : Process-1- oo {lu} c 0 ) 

—t (A B : Label lu — > Bool) 

—> (Q : Process oo {lu} cf) 

-> Ref+ (fmap+ swapx ((<5 [ B ]|jp+[ A ] P))) (P [ A ]||+p[ B ] Q) 

S[||]+pR P A B (terminate x) l m q = lemFmap+R (_,,_ x) swapx (P (+ (A \ B)) l m q 
S[||]+pR P A B (node Q) l m q = S[||] + R P A B Q l m q 


a 


o 
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S[||]p+R : {lu : Ll)niv}{c 0 cy : Choice} 

—>■ (P : Process oo {lu} c 0 ) 

—>■ {A B : Label lu —> Bool) 

—> (Q : Process+ oo {lu} cy) 

-> Ref+ (fmap+ swapx (( Q [ B ]||+p[ A ] P ))) ( P [ A ]||p+[ B ] Q ) 

S[| |]p+R (terminate x ) Q l m q = lemFmap+R (X a —)■ a ,, x) swapx (m [+ (l\ Q )) g 
S[||]p+R (node P) Q l m q = S[||] + R P Q l m q 

S[||] ooooR : {lu : LUniv}{c 0 <y : Choice} 

—> (P : Processoo oo {lu} c 0 ) 

—>• (A B : Label lu — y Bool) 

—> (Q : Processoo oo {lu} C\ ) 

—y Refoo (fmapoo swapx ((Q [ B ]||oo[ A ] P ))) (P [ A ]||oo[ B ] Q) 

S[||]ooooR PABQlmx = S[||]ppR ((forcep P)) A B (forcep Q) l m x 

S[||]ppR : {lu : LUniv}{c 0 c\ : Choice} 

—> (P : Process oo {lu} c 0 ) 

—> {A B : Label lu —> Bool) 

-> (Q : Process oo {lu} c\) 

->■ Ref ( fma P swapx \(Q [ S]||[ A ] P))) (P [ A ]||[ B] Q ) 

S[||]ppR (terminate x) A B (terminate x\) .[] .(just (x„ xi)) (ter ,(x„ xi)) = ter (x „ xi) 

S[||]ppR (terminate x) A B (terminate x\) .[] .nothing (empty .(x „ Xi)) = empty (x „ Xi) 

S[||]ppR (terminate x) A B (node x\) .[] .nothing (tnode empty) = tnode empty 

S[||]ppR (terminate x) A B (node x\) .(Lab x\ a :: /) m (tnode (extc l .m (sub a a^) x 3 )) = 

tnode (extc l m (sub a £ 2 ) 

(lemFmapooR (X a\ —)■ a\ ,, x) swapx (PE (ay (+ ( B \ A)) (sub a a^) 
S[||]ppR (terminate x) A B (node ay) l m (tnode (intc .1 .m ay x 3 )) = 
tnode (intc l m x 2 

(lemFmapooR (X a —> a ,, a;)swapx (PI (ay (+ ( B \ A)) ay) l m ay)) 
S[||]ppR (terminate x) A B (node ay) .[] .(just (a;,, PT ay ay)) (tnode (terc ay)) = tnode (terc 
S[||]ppR (node x) A B (terminate ay) .[] .nothing (tnode empty) = tnode empty 

S[||]ppR (node x) A B (terminate ay) .(Lab x a :: l) m (tnode (extc l .m (sub a ay) ay)) = tnc 

(lemFmapooR (_,,_ ay) swapx (PE (ar I'd- {A \ B)) (sub a ay)) l m ay) 
S[||]ppR (node x) A B (terminate ay) l m (tnode (intc .1 .m ay ay)) = tnode (intc l m ay 

(lemFmapooR (_„_ oy)swapx (PI (x \+ (A \ B )) ay) l m ay)) 

S[||]ppR (node x) A B (terminate x\) .[] .(just (PT x ay ,, ay)) (tnode (terc ay)) = tnode (terc 

S[||]ppR (node x) A B (node x\) .[] .nothing (tnode empty) = tnode empty 

S[||]ppR (node x) A B (node ay) .(Lab x a :: /) m (tnode (extc l .m (injx (inj x (sub a ay))) x 3 ] 

tnode (extc l m (inj x (inj 2 (sub a ay))) (S[||]oo+R (PE x a) A B x\ l v 

S[||]ppR (node x) A B (node ay) .(Lab ay a :: /) m (tnode (extc l .m (inj x (inj 2 (sub a ay))) x 


o 


-o 
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tnode (extc l m (inji (inji (sub a £2))) (S[||]+ooR x A B (PE x\ a) l m x 3 )) 
S[| |]ppR { lu } (node P) A B (node Q ) .(Lab P x :: l ) m (tnode (extc l .m (inj 2 (sub (x ,, x 3 ) x 2 )) x 3 )) 
Ixlx 1 : T’ (Lab P x ==l Lab Q x\) 

Ixlx1 = lemmaBool (Lab P x ==l Lab Q xi) 

(A (Lab P x) A B (Lab Q xi)) x 2 


BQx : T (B (Lab Qx 1)) 

BQx = lemmaBool’ (Lab P x ==l Lab Q xi) 

(A (Lab P x)) (B (Lab Q xi)) x 2 


APx 1 : T’ (A (Lab P x)) 

APx 1 = lemmaBool (A (Lab F x)) ( B (Lab Q xi)) 

(lemmaBooIR (Lab P x ==l Lab Q xi) 

(A (Lab P x) A B (Lab Q xi)) 3 %) 

h\lx : T’ (Lab Q x\ ==l Lab P x) 

lx±lx = sym==l {lu} {Lab P x} {Lab Q xi} Ixlx 1 

X2 ’: T’ ((Lab Q x 1 ==l Lab P x) A B (Lab Q xi) A A (Lab P x)) 
x 2 ’ = lemmaBool” ((Lab Qx \ ==l Lab P x)) 

( B (Lab Q xi)) (A (Lab P x)) h\lx BQx APx 1 

auxproof : Tr+ (Lab Q Xi w l) m 

(fmap+ swapx (<5 [ B ]||+[ A ] P)) 
auxproof = extc l m (inj 2 (sub (xi ,, x) x 2 ’)) 

(S[| |]ooooR (PE P x) A B (PE Q x 1) l m x3) 

auxproof’ : Tr+ (Lab P x :: l) m 

(fmap+ swapx (Q [ B ]||+[ A ] P)) 
auxproof ’ = transfLu {lu} (X l’ —*■ Tr+ (P :: l) m 

(fmap+ swapx (Q [ B ]|| + [ A ] P))) 

{Lab Q x 1} {Lab P x} lx\ lx auxproof 

in tnode auxproof’ 

S[||]ppR (node x) A B (node xi) l m (tnode (intc .1 .m (inji $2) £3)) = tnode (intc l m ( i n j2 X2) (S[||]c 

S[||]ppR (node x) A B (node xi) l m (tnode (intc .1 .m (inj 2 y) X3)) = tnode (intc l m (inji y) (S[||]+c 

S[||]ppR (node x) A B (node xi) .[] .(just (PT x x 2 „ PT x\ x 3 )) (tnode (terc (x 2 „ x 3 ))) = tnode (terc 


O- 
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--@PREFIX@mainproofTerHide 
module proofTerHide where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport auxData 
mport Data.Maybe 
mport Data.List 
mport Data.Sum 
mport labelUniv 
mport dataAuxFunction 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport hidingOperator 
mport primitiveProcess 
mport Data.Bool 
mport traceEquivalence 
mport Data.Product 


--@BEGIN@unitHideLaw 

unitHideLaw : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—> (A : Label lu —> Bool) 

—>■ (P : Process i {lu} Co) 

—>■ Hide A (terminate a) □ (terminate a) 
unitHideLaw {*} {c 0 } aAPlmq=q 


unitHideLawr : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—> (A : Label lu —* Bool) 

—> (P : Process i {lu} c 0 ) 

— (terminate a) □ Hide A (terminate a) 
unitHideLawr {z} {c 0 } aAPlmq=q 


<y 
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--(SEND 


--@BEGIN(SunitHideLawTheo 

=unitHide : {z : Size} {lu : LUniv}{co : Choice} (a : ChoiceSet Co) 
—> (A : Label lu — > Bool) 

—> (P : Process i {lu} c 0 ) 

—> Hide A (terminate a) = (terminate a) 


--(SEND 


- -@BEGIN(SunitHideLawTheoProof 

=unitHide a A P = (unitHideLaw a A P) , (unitHideLawr a A P) 


--(SEND 


-(SBEGINGstopHideLaw 


stopHideLaw : {i : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—>■ (A : Label lu —>■ Bool) 

—> (P : Process i {lu} c 0 ) 

Hide A (STOP co) C ((STOP c 0 )) 
stopHideLaw {z} {c 0 } a A (terminate x) .[] .nothing (tnode empty) 

= tnode empty 

stopHideLaw {z} {c 0 } a A (terminate xi) .(efq _ l) m 

(tnode (extc l .m 0 ^)) 
stopHideLaw {z} {c 0 } a A (terminate x ) l m 

(tnode (intc .1 .m 0 ^)) 

stopHideLaw {z} {c 0 } a A (terminate xi) .[] .(just (efq x)) 

(tnode (terc x)) = tnode (terc x) 
stopHideLaw {z} {c 0 } a A (node x ) .[] .nothing (tnode empty) 

= tnode empty 

stopHideLaw {z} {c 0 } a A (node x\) .(efq _ :: /) m 

(tnode (extc l .m 0 a*)) 

stopHideLaw {z} {c 0 } a A (node x) l m (tnode (intc .1 .m 0^)) 
stopHideLaw {i} {c 0 } a A (node x\) .[] .(just (efq x)) 

(tnode (terc x)) = tnode (terc x) 


o- 


o 
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--0END 


stopHideLawr 


stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 

stopHideLawr 


: {z : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 

—> (A : Label lu —* Bool) 

( P : Process i {lu} cq) 

(STOP c 0 ) C Hide A (STOP c 0 ) 

{z} {Co} o A (terminate a;) .[] .nothing (tnode empty) = tnode empty 
{z} { c o} a A (terminate x\) .(efq _, ::/) m (tnode (extc l .m (sub () x) x 2 )) 

{z} {c 0 } a A (terminate x) l m (tnode (intc .1 .m (inji ()) x 2 )) 

{z} {c 0 } a A (terminate x) l m (tnode (intc .1 .m (inj 2 (sub () xi)) x 2 )) 

{z} {c 0 } a A (terminate x\) .[] .(just (efq x)) (tnode (terc a;)) = tnode (terc x) 

{z} {c 0 } a A (node x) .[] .nothing (tnode empty) = tnode empty 

{z} {c 0 } a A (node x\) .(efq _ :: /) m (tnode (extc l .m (sub () x) x 2 )) 

{z} {c 0 } a A (node x) l m (tnode (intc .1 .m (inji ()) ^ 2 )) 

{z} {co} a A (node x) l m (tnode (intc .1 .m (inj 2 (sub () xi)) x 2 )) 

{z} {c 0 } a A (node x\) .[] .(just (efq x)) (tnode (terc a;)) = tnode (terc x) 


- -@BEGIN@stopHideLawEq 

=stopHide : {z : Size} {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
—> (A : Label lu —> Bool) 

—>• (P : Process i {lu} c 0 ) 

->• Hide A (STOP c 0 ) = (STOP c 0 ) 

--(SEND 


--@BEGIN@stopHideLawEqProof 

=stopHide a A P = (stopHideLaw a A P) , (stopHideLawr a A P) 


--(SEND 


A.92 proofTerlnter.agda 


--@PREFIX@mainproofTerInter 


o 


o 
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A. Agda Code 

o-o 


module proofTerlnter where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetll 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport auxData 
mport label 
mport parallelSimple 
mport restrict 
mport Data.Bool 
mport interleave 
mport traceEquivalence 
mport Data.Product 
mport labelUniv 


--@BEGIN@TerIntLaw 

TerlntLaw : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 ) (b : ChoiceSet c\) 
—)■ {lu} (terminate a ||| terminate b ) (terminate ((a ,, b ))) 
TerlntLaw {Iu}{cq} {ci} a P l m q = q 


TerlntLawr : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 ) (6 : ChoiceSet ci) 
—)• _T_ {lu} (terminate ((a,, b))) (terminate a ||| terminate b) 
TerlntLawr {lu} {c 0 } {ci} a P l m q = q 


--(SEND 


--@BEGIN@TerIntLawTheo 

=Terlnt+ : {lu : LUniv}{co c\ : Choice} (a : ChoiceSet Co) (b : ChoiceSet ci) 
—>• {lu} (terminate a ||| terminate b) (terminate ((a ,, b))) 


--(SEND 


a 


-o 
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A.93. proofTerPar.agda 
o-o 


- -@BEGIN(STerIntLawTheoProof 

=Terlnt+ a b = TerlntLaw a b , TerlntLawr a b 


--(SEND 


--(SBEGINGunilntLaw 

unilntLaw : { lu : LUniv}{c 0 : Choice} ( a : ChoiceSet Co) 

—>■ (P : Process oo {lu} cq) 

—> (terminate a ||| P) C fmap a)) P 

unilntLaw {c 0 } a P l m q = q 


unilntLawr : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet Co) 
—> (P : Process oo {lu} cq) 

—> fmap a)) P C (terminate a ||| P ) 

unilntLawr {c 0 } a P l m q = q 


--(SEND 


--(SBEGINGunilntLawTheo 

=unilnt : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet c 0 ) 
— » (P : Process oo {lu} cq) 

—> (terminate a ||| P) = fmap ((_,,_ a)) P 


--(SEND 


--(SBEGINGunilntLawTheoProof 

=unilnt a P = (unilntLaw a P) , (unilntLawr a P) 


--(SEND 


A. 93 proofTerPar.agda 


--@PREFIX@mainproofTerPar 


o- 


o 
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A. Agda Code 

o-o 


module proofTerPar where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport Size 
mport choiceSetU 
mport renamingResult 
mport TraceWithoutSize 
mport RefWithoutSize 
mport auxData 
mport parallelSimple 
mport restrict 
mport Data.Bool 
mport traceEquivalence 
mport Data.Product 
mport labelUniv 


--@BEGIN@unitPar 

unit[-||-] : {lu : LUniv}{c 0 : Choice} ( a : ChoiceSet co)(P : Process oo c 0 ) ( A B : Label lu — > Bool) 
— > (terminate a [ A ]||[ B ] P) C fmap ( (X b —>■ (a ,, b ))) (P \ (B \ A)) 
unit[-||-] {c 0 } aPABlmq= q 


unit[-||-]r : {lu : LUniv}{c 0 : Choice} (a : ChoiceSet co)(.P : Process oo cq) ( A B : Label lu —> Bool) 
—> fmap ( (X b — y (a ,, b))) (P \ (B \ A)) C (terminate a [ A ]||[ B ] P ) 
unit[-||-]r {cq} aPABlmq=q 


= U+ : {lu : LUniv}{co : Choice} (a : ChoiceSet co)(P : Process oo Co) (A B : Label lu —> Bool) 
—y (terminate a [ A ]||[ B ] P) = fmap ( (X b —y (a „ b))) (P \ (B \ A)) 

= U+ a P A B = (unit[- 11 -] a P A B) , (unit[-||-]r a P A B) 


--(SEND 


a 


-o 
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A. 93. proofTerPar.agda 
o-o 


unit[-||-]R : {lu : LUniv}{c 0 : Choice} (b : ChoiceSet co)(P : Process oo c 0 ) (A B : Label lu —v 
—> (P [ B ]||[ A ] terminate b ) jZ fmap (X a —» (a ,, b))(P \ (B \ A)) 

unit[-||-]R {c 0 } a (terminate x) A B l m q = q 

unit[-||-]R {c 0 } a (node x) A B l m (tnode x\) = tnode x\ 


unit[-||-]RR : {lu : LUniv}{c 0 : Choice} ( b : ChoiceSet c 0 )(P : Process oo c 0 ) (A B : Label lu - 
—> fmap (X cl — y ( cl ,, b)){P \ ( B \ A)) □ (P [ B ]||[ A ] terminate b ) 

unit[-||-]RR {co} a (terminate x) A B l m q = q 
unit[-||-]RR {cq} a (node x) A B l m (tnode a;i) = tnode x\ 


= Ur+ : {lu : LUniv}{c 0 : Choice} (6 : ChoiceSet c 0 )(P : Process oo Co) (A B : Label lu —> Bo 
— y (P [ B ]||[ A ] terminate b) = fmap (X a —> (a ,, b))(P \ ( B \ A)) 

= Ur+ b P A B = (unit[-||-]R b P A B) , (unit[-j|-]RR b P A B) 


--@END 


--@BEGIN@terPr 

ter[-||-] : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) 

(b : ChoiceSet c\) (A B : Label lu —> Bool) 

—>■ (terminate a [ A ]||[ B ] terminate b ) C 
fmap (X x —» a „ b) (terminate ((a ,, b))) 
ter[-||-] {co} aPABlmq=q 

ter[-||-]r : {lu : LUniv}{c 0 C\ : Choice} (a : ChoiceSet c 0 ) 

(b : ChoiceSet ci) (A B : Label lu — > Bool) 

—> fmap (X x —^ a „ b) (terminate ((a ,, b))) C 
(terminate a [ A ]||[ B ] terminate b ) 
ter[-|j-]r aPABlmq=q 


--@END 


--@BEGIN@terPrTheo 

=ter[-||-] : {lu : LUniv}{c 0 c\ : Choice} (a : ChoiceSet c 0 ) 
(b : ChoiceSet ci) (A B : Label lu —> Bool) 


a 


-o 
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A. Agda Code 

o-o 


—> (terminate a [ A ]||[ B ] terminate b) 

= fmap (X x —> a ,, b ) (terminate ((a ,, 6))) 


--(SEND 


--@BEGIN(SterPrTheoProof 

=ter[-||-] a b A B = (ter[-||-] a b A B) , (ter[-||-]r a b A B) 


--(SEND 


A.94 rec.agda 


--(SPREFIX(SRec 
module rec where 


mport Data.String renaming (_++_ to _++s_) 

mport Data.Sum 

mport Size 

mport choiceSetU 

mport process 

mport dataAuxFunction 

mport sequentialComposition 

mport showFunction 

mport renamingProcess 

mport labelUniv 


open 
open 
open 
open 
open 
open 
open 
open 
open 
open 

--(SBEGIN(SrecDef 
mutual 

rec : {i : Size} — >■ {lu 
—>• (s : String) 

—>• (ChoiceSet c 0 —>■ Process+ (} i) {lu} (c 0 W’ ci)) 
—>• ChoiceSet c 0 
—>• Processcxa i {lu} c\ 
forcep (rec s f a) = renameP s 

(/ a 3 >=+p recaux s f) 

Stroo (rec s f a) = s 

recaux : {i : Size} —* {lu : LUniv}{c 0 C\ : Choice} 

—>• (s : String) 


LUniv}{c 0 ci : Choice} 


a 


o 
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A.95. RefWithoutSize.agda 
o-o 


—¥ (ChoiceSet Co —>■ Process+ (} i) { lu } (c 0 l±)’ ci)) 
—>■ (ChoiceSet c 0 l±l ChoiceSet cf) 

—> Processoo i {lu} c\ 
recaux s f (inj! x) = rec sfx 
recaux s/(inj 2 x) = delay (terminate x ) 


recStr : {lu : LUniv}{c 0 : Choice} 

—y (ChoiceSet c 0 —>• String) 

—> ChoiceSet Co —> String 

recStr / a = "rec (" ++s choice2Str2Str / ++s "," ++s choice2Str a ++s ")" 


--SEND 


recAutoStr : {i : Size} —>• {lu : LUniv}{co c\ : Choice} 

— > (ChoiceSet cq Process+ (} i) {lu} (c 0 l±l' ci)) 
—> ChoiceSet c 0 
—)• Processoo i C\ 

recAutoStr {z} {lu} f a = rec (recStr {lu} (Str+ of) a) f a 


A.95 RefWithoutSize.agda 


--@PREFIX@mainRefWithoutSize 


module RefWithoutSize where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.List 
mport Data.Product 
mport Data.Maybe 
mport labelUniv 
mport process 
mport choiceSetU 
mport TraceWithoutSize 


--@BEGIN@refDef 


o 


-o 
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A. Agda Code 

o-o 


JZ_ : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 

(Q : Process oo {lu} c ) —> Set 
_C_ {lu} {c} P Q = (l : List (Label lu)) 

—> (m : Maybe (ChoiceSet c)) 

—> (tr : Tr {lu} l m Q) —Y Tr {lu} l m P 


--0END 


--OBEGINOrefInfDef 

_Coo_ : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 

(Q : Processoo oo {lu} c) —> Set 
_Coo_ {lu} {c} P Q = (/: List (Label lu)) 

—>■ (m : Maybe (ChoiceSet c)) 

—)• (tr : Troo {lu} l m Q) —>• Troo {/n} l m P 


--SEND 


--@BEGIN@refPlusDef 

_C+_ : : LUniv}{c : Choice} (P : Process+ oo {lu} c) 

(Q : Process+ oo {lu} c) — > Set 
_C+_ {lu}{c} P Q = (l : List (Label lu)) 

—>■ (m : Maybe (ChoiceSet c)) 

—> (tr : Tr+ {lu} l m Q) —>■ Tr+ {lu} l m P 


--SEND 

--@BEGIN@natDef 


Ref = _C_ 
Refoo = _Coo_ 
Ref+ = _C+_ 


JP r - : {lu : LUniv}{c c\ : Choice} (P : Process oo {lu} c) 

(Q : Process oo {lu} c\) —> Set 


a 


o 
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A.96. renamingOperator.agda 
o-o 


_C r _ {lu}{c} {ci} P Q = (l : List (Label lu)) 

—>■ (m : Maybe (ChoiceSet c)) 

—>■ (rrii '■ Maybe (ChoiceSet ci)) 

—y Tr {lu} l mi Q > Tr {lu} l m P 

Ref r = JP r - 

_□oo r _ : {lu : LUniv}{c Ci : Choice} (P : Processoo oo {lu} c) 

(Q : Processoo oo {lu} Ci) — > Set 

_Coo r _ {lu} {c} {ex} P Q = (l : List (Label lu)) 

—y (m : Maybe (ChoiceSet c)) 

—> (mi : Maybe (ChoiceSet ci)) 

—y Troo {lu} l mi Q —> Troo {lu} l m P 

Refoo r = _Coo r _ 

_C+ r _ : {lu : LUniv} {c ci : Choice} (P : Process+ oo {lu} c) 

(Q : Process+ oo {lu} ci) —> Set 

_C+ r _ {lu} {c} {ci} P Q = (l: List (Label lu)) 

—> (m : Maybe (ChoiceSet c)) 

(mi : Maybe (ChoiceSet ci)) 

—> Tr+ {lu} l mi Q —> Tr+ {lu} l m P 

Ref+ r = 

--0END 


A.96 renamingOperator.agda 


--@PREFIX@renamingOperator 
module renamingOperator where 


open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport process 
mport choiceSetU 
mport choiceAuxFunction 
mport dataAuxFunction 
mport auxData 
mport labelUniv 

mport Data.String renaming (_++_ to _++s_) 
mport showLabelP hiding (labelLabelFunToString) 


o 


-o 
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A. Agda Code 

o-o 


--@BEGIN@renamingOperatorDef 

RenameStr : {lu : LUniv}(/: Label lu —>■ Label lu) — ± String — >• String 
RenameStr fs = "(" ++s s ++s ")" ++s (labelLabelFunToString f) 

mutual 

Renameoo : {i : Size} —>• {lu : LUniv} {c : Choice} 

—> (/: Label lu —* Label lu) 

—> Processoo i {lu} c —> Processoo i {lu} c 
forcep (Renameoo / P) = Rename /( forcep P ) 

Stroo (Renameoo f P) = RenameStr / (Stroo P) 

Rename : {i : Size} — >■ {lu : LUniv}{c : Choice} 

—> (/: Label lu — > Label lu) 

—>• Process * {lu} c —> Process i {lu} c 
Rename / (node P) = node (Rename+ f P) 

Rename / (terminate x) = terminate x 

Rename+ : {i : Size} —>• {lu : LUniv}{c : Choice} 

—v (/: Label lu —> Label lu) 

—> Process+ i {lu} c —> Process+ i {lu} c 
E (Renam e+ f P) = (E P) 

Lab (Rename+ / P) c = / (Lab P c) 

PE (Rename+ / P) c = Renameoo / (PE P c) 

I (Renam e+ f P) = I P 

PI (Rename+ f P) c = Renameoo / (PI P c) 

T (Rename+/P) =TP 

PT (Rename+ /F) c = PT Pc 

Str+ (Rename+ f P) = RenameStr / (Str+ P) 

--0END 

mutual 

RenameWithNameoo : {i : Size} 

—*■ {c : Choice} 

—> {lu : LUniv} 

—> ( name : String —> String) 

—¥ (/: Label lu —> Label lu) 

—> Processoo i {lu} c 
—> Processoo i {lu} c 

forcep (RenameWithNameoo name f P) = RenameWithName name/(forcep P) 


a 


o 
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A.97. renamingProcess.agda 
o-o 


Stroo (RenameWithNamecx) name f P) = name (Stroo P) 

RenameWithName : {i : Size} 

—> {c : Choice} 

—> {lu : LUniv} 

—> (name : String —> String) 

—> (/: Label lu —> Label lu) 

—> Process i {lu} c 
—> Process i {lu} c 

RenameWithName name /(node P ) = node (RenameWithName+ name f P) 
RenameWithName name f (terminate x ) = terminate x 

RenameWithName+ : {i : Size} 

—>■ {c : Choice} 

—>• {lu : LUniv} 

—>• (name : String — > String) 

—)• (/: Label lu — Label lu) 

—> Process+ i {lu} c 
—> Process+ i {lu} c 

E (RenameWithName+ name f P) = (E P) 

Lab (RenameWithName+ name f P) c = / (Lab P c) 

PE (RenameWithName+ name f P) c— RenameWithNameoo name f ( PE Pc) 
I (RenameWithName+ name f P) = I P 

PI (RenameWithName+ name f P) c— RenameWithNameoo name /(PI Pc) 
T (RenameWithName+ name f P) = T P 
PT (RenameWithName+ name f P) c = PT P c 
Str+ (RenameWithName+ name f P) = name (Str+ P) 


A.97 renamingProcess.agda 


module renamingProcess where 

open import Data.String 
open import Size 
open import process 
open import choiceSetU 
open import labelUniv 


o 


-o 
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A. Agda Code 

o-o 


mutual 

renamePoo : {i : Size} — >• {lu : LUniv}{c : Choice} — >■ String — > Processoo i {lu } c —>• Processoo i { 

forcep (renamePoo {«} s P ) {}} = renameP {]} s (forcep P {}}) 

Stroo (renamePoo {«} s P) = s 

renameP : {i : Size} —* {lu : LUniv}{c : Choice} —> String — > Process i {lu} c 
—> Process i {lu} c 

renameP s (node P) = node (renameP+ s P ) 
renameP s (terminate x) = terminate x 

renameP+ : {i : Size} —*■ {lu : LUniv}{c : Choice} — > String — )■ Process+ i {lu} c 
—> Process+ i c 
E (renameP+ s P) = (E P) 

Lab (renameP+ s P) c = Lab P c 
PE (renameP+ s P) c = PE P c 
I (renameP+ s P) = I P 
PI (renameP+ s P) c = PI P c 
T (renameP+ s P) = T P 
PT (renameP+ s P) c = PT Pc 
Str+ (renameP+ s P) = s 


A.98 renamingResult.agda 


--OPREFIXOrenamingResult 


module renamingResult where 


open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport Size 

mport choiceSetU 

mport sequentialComposition 

mport dataAuxFunction 

mport Data.String renaming (_++_ to _++s_) 
mport showFunctionForSimulator 
mport labelUniv 


--@BEGIN@renamingDef 


a 


o 
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A.98. renamingResult.agda 
o-o 


fmapStr : {c 0 c\ : Choice} — >• (/: ChoiceSet cq —> ChoiceSet c\) 

—y String —y String 

fmapStr f str = " (fmap " ++s choiceFunToStr} / ++s " " ++s str ++ s ")" 


mutual 

fmapoo : (c 0 C\ : Choice} 

—> (/: ChoiceSet c 0 —> ChoiceSet ci) 

—> {i : Size} 

—> {lu : LUniv} 

—> Processcxa i {lu} Co —*■ Processoo i {lu} c\ 
forcep (fmapoo f P) = fmap /( forcep P) 

Stroo (fmapoo f P) = fmapStr / (Stroo P) 

fmap : {lu : LUniv}{co c\ : Choice} —» (/: ChoiceSet Co 
—> ChoiceSet ci) —>■ {i : Size} 

—> Process i {lu} c 0 — > Process i {lu} c,\ 
fmap /(terminate a) = terminate (fa) 
fmap/(nodeF) = node (fmap + f P) 


fmap+ : {c 0 C\ : Choice} 

—> (/ : ChoiceSet c 0 —>■ ChoiceSet c\) 

—)• {i : Size} 

—y {lu : LUniv} 

—> Process+ i {lu} Co —> Process+ i {lu} c\ 
E (fmap+ f P) = E P 
Lab (fmap+ / P) c = Lab P c 
PE (fmap+ / P) c = fmapoo / (PE Pc) 

I (fmap+ / P) = I P 
PI (fmap+ / P) c = fmapoo / (PI P c) 

T (fmap+ / P) = T P 
PT (fmap+ fP) c = f(PT P c) 

Str+ (fmap+ /P) = fmapStr /(Str+ P) 


--@END 


fmapi : {c 0 C\ : Choice} —> (/: ChoiceSet c 0 — > ChoiceSet ci) —> (i : Size) 
—> {lu : LUniv} 


o 


-o 
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A. Agda Code 

o-o 


—> Process z {lu} c 0 
—> Process z {lu} c x 
fmapi f i P = fmap / {z} P 

fmap+i : {c 0 c± : Choice} —>• (/: ChoiceSet cq -+ ChoiceSet ci) — > ( i : Size) 
— > {lu : LUniv} 

— Process+ i {lu} c 0 
—> Process+ i {lu} C\ 
fmap+i f i P = fmap+ / {z} P 

fmapooi : {co c\ : Choice} — >■ (/: ChoiceSet c 0 —> ChoiceSet c\) —> (z : Size) 
-+ {lu : LUniv} 

— v Processoo i {lu} c 0 
-+ Processoo i {lu} c\ 
fmapooi fi = fmapoo/{z} 


fmap’ : {c 0 c\ : Choice} -+ (/: ChoiceSet cq -+ ChoiceSet c\) —> {z : Size} 

—v {lu : LUniv} 

-+ Process i {lu} cq 
—> Process i {lu} c\ 

fmap’ / P = P ^>= (delay o (terminate o f)) 

fmap+’ : {c 0 c\ : Choice} -+ (/: ChoiceSet Co +• ChoiceSet ci) —> {z : Size} 
—> {b : LUniv} 

—» Process+ z {/zz} c 0 
—>• Process+ z {/zz} Cj 

fmap+’ f P = P ^>=+ (delay o (terminate o /)) 

fmapoo' : {co c± : Choice} -+ (/: ChoiceSet cq —> ChoiceSet ci) —>■ {z : Size} 
—>■ {lu : LUniv} 

—v Processoo i {lu} c 0 
—>■ Processoo z {/zz} c\ 

fmapoo’ f P = P 3>=oo (delay o (terminate o f )) 


mutual 


a 


fmapCustomStr : {c 0 c\ : Choice} (/: ChoiceSet cq —> ChoiceSet ci) 


o 
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A.98. renamingResult.agda 
o-o 


—)■ (fname : String) 

—>■ String —> String 

fmapCustomStr f fname str = " (fmap " ++s fname ++s " " ++s str ++s ")" 


fmapCustomoo : {co c\ : Choice} —;• (/: ChoiceSet cq —> ChoiceSet c\) —)■ {i : Size} 
— > {lu : LUniv} 

—>- (fname : String) 

—>• Processoo i {lu} c 0 —> Processoo i {lu} Ci 
forcep (fmapCustomoo f fname P ) = fmapCustom f fname (forcep P ) 

Stroo (fmapCustomoo f fname P ) = fmapCustomStr f fname (Stroo P ) 

fmapCustom : {c 0 C\ : Choice} — >■ (/: ChoiceSet c 0 —*■ ChoiceSet ci) —>■ {i : Size} 

—> {lu : LUniv} 

—y (fname : String) 

Process i {lu} Co 
—> Process i {lu} c\ 

fmapCustom f fname (terminate a) = terminate (fa) 
fmapCustom f fname (node P) = node (fmapCustom+ f fname P ) 

fmapCustom+ : {co c\ : Choice} — > (/: ChoiceSet Co —>■ ChoiceSet c\) —t {i : Size} 
—> {lu : LUniv} 

—> (fname : String) 

—> Process+ i {lu} c 0 
—> Process+ i {lu} c\ 

E (fmapCustom+ f fname P ) = E P 

Lab (fmapCustom+ f fname P) c = Lab P c 

PE (fmapCustom+ f fname P) c = fmapCustomoo f fname (PE P c ) 

I (fmapCustom+ f fname P ) = I P 

PI (fmapCustom+ f fname P) c = fmapCustomoo f fname (PI P c ) 

T (fmapCustom+ f fname P ) = T P 

PT (fmapCustom+ ffname P) c = f( PT Pc) 

Str+ (fmapCustom+ / fname P) = fmapCustomStr f fname (Str+ P) 


mutual 

fmapWithNameoo : {c 0 c,\ : Choice} 

—> (name : String —> String) 

—> (f: ChoiceSet c 0 —> ChoiceSet ex) 
—>• {* : Size} 

—> {lu : LUniv} 


o 


-o 
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A. Agda Code 

o-o 


—> Processoo i {lu} c 0 —> Processoo i {lu} c\ 
forcep (fmapWithNameoo name f P) = fmapWithName name f ( forcep P) 
Stroo (fmapWithNamecx) name f P) = name (Stroo P) 


fmapWithName : {c 0 c\ : Choice} 

—> (name : String — > String) 

—>- (/: ChoiceSet c 0 —> ChoiceSet Ci) —> {i : Size} 

—> {lu : LUniv} 

—*■ Process i {lu} c 0 —>• Process i {lu} c\ 
fmapWithName name f (terminate a) = terminate (fa) 
fmapWithName name /(node P) = node (fmapWithName+ name f P) 


fmapWithName+ : {co c\ : Choice} 

—> (name : String — » String) 

—> (f: ChoiceSet cq —> ChoiceSet ci) 

—> {i : Size} 

—> {lu : LUniv} 

—> Process+ i {lu} cq —)■ Process+ i {lu} c\ 

E (fmapWithName+ name f P) = E P 
Lab (fmapWithName+ name f P) c = Lab P c 

PE (fmapWithName+ name f P) c = fmapWithNameoo name f ( PE Pc) 
I (fmapWithName+ name f P) = I P 

PI (fmapWithName+ name f P) c = fmapWithNameoo name /(PI Pc) 
T (fmapWithName+ name f P) = T P 
PT (fmapWithName+ name f P) c = f( PT Pc) 

Str+ (fmapWithName+ name f P) = name (Str+ P) 

A.99 restrict.agda 


--@PREFIX@Restrict 
module restrict where 


open import Data.Bool renaming (T to True) 
open import Data.Sum 
open import Data.Sum 


a 


o 
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A.99. restrict.agda 

o-o 


open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Data.String renaming (_++_ to _++s_) 

mport Data.String.Base 

mport Size 

mport process 

mport labelUniv 

mport showLabelP hiding (labelBoolFunToString) 
mport choiceSetl) 
mport dataAuxFunction 
mport auxData 


-- restriction of external labels to those for which a function is true 


-- I" is input as \uprightharpoon 
--@BEGIN@StricDef 

_[Str_ : {lu : LUniv} —>■ String —> (A : Label lu —> Bool) —> String 

str (Str A = "Restrict " ++s labelBoolFunToString A ++s " " ++s str 


mutual 

_(oo_ : {lu : LUniv} {i : Size} — >■ {c : Choice} — > Processoo i {lu} c 
— > ( A : Label lu —> Bool) —>■ Processcxa i {lu} c 
forcep (P foo A) = (forcep P) \ A 
Stroo (P foo A) = (Stroo P) fStr A 

_f_ : {lu : LUniv} {i : Size} — > {c : Choice} Process i {lu} c 
—>■ ( A : Label lu — > Bool) — > Process i {lu} c 
terminate a \ A = terminate a 
node P \ A = node (P [+ A) 


_[+_ : {lu : LUniv} {i : Size} —$■ {c : Choice} — )■ Process+ i {lu} c 
—>• ( A : Label lu —*■ Bool) —)■ Process+ i {lu} c 
E ( P r+ A ) = subset’ (E P) (A o (Lab P)) 

Lab ( P (+ A) (sub c p) = Lab P c 
PE (P (+ A) (sub cp) = PE P c (oo A 
I (P \+ A) = I P 

PI (P \+ A) c =P\Pc\ooA 

T (P \+ A) = T P 


o 


-o 
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A. Agda Code 

o-o 


PT {P \+ A) c = PT Pc 
Str+ (P [+ A) = Str+ P pStr A 


--(SEND 


A. 100 sequentialComposition.agda 


--@PREFIX@Sequential 

module sequentialComposition where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.Sum 
mport choiceSetU 
mport process 
mport Data.String 
mport showFunction 
mport dataAuxFunction 
mport labelUniv 


renaming (_++_ to _++s_) 


--@BEGIN@seq 

_3>=Str_ : {cq : Choice} — » String 

—> (ChoiceSet Co —> String) —> String 
s ^>=Str / = s ++s ";" ++s choice2Str2Str / 


mutual 

_3>=cxa_ : { i : Size} — )■ {c 0 c\ : Choice} 

—> {lu : LUniv} 

—> Processoo i {lu} Co 
—> (ChoiceSet c 0 —> Processoo i Ci) 

—> Processoo i {lu} c\ 

forcep (P 3>=oo Q ) = forcep P S>= Q 

Stroo (P 3>=oo Q) = Stroo P 3>=Str (Stroo o Q) 

_3>=_ : {i : Size} —» {c 0 c\ : Choice} 

—> {lu : LUniv} 

—>■ Process i {lu} cq 


a 


o 
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A. 101. sequentialCompositionRev.agda 
o-o 


—>■ (ChoiceSet Co —> Processcx) (} i) c\) 
—)■ Process i { lu } c\ 

node P S>= Q = node (P 3>=+ Q) 

terminate x 3>= Q = forcep (Q x ) 


_S>=+_ : {i : Size} —* {c 0 c\ : Choice} 

—> {lu : LUniv} 

—> Process+ i {lu} c 0 
—> (ChoiceSet c 0 —>- Processoo i C\) 

—v Process+ i {lu} c\ 

E (P»=+£) = E P 

Lab (P>=+ Q) = Lab P 

PE (P >=+ Q) c = PE Pc >=oo Q 

I (P »=+<£) = I P l±)’ T P 

PI (P 3>=+ Q) (inji c) = PI Pc 3>=oo Q 

PI (P >=+ Q) (inj 2 c) = Q (PT P c) 

T (P»=+£) = fin 0 

PT (P »=+ (?) () 

Str+ (P 3>=+ Q) = Str+ P 3>=Str (Stroo o Q) 


--(SEND 


_D^>=+p_ : {i : Size} — >• {c 0 Ci : Choice} — >■ {lu : LUniv} — )■ Process-1- i {lu} c 0 
—>■ ( ChoiceSet c 0 —>• Processoo i {lu} ci) 

—>■ Process i {lu} Ci 
P »=+p Q = node (P »=+ Q ) 


A. 101 sequentialCompositionRev.agda 


module sequentialCompositionRev where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.Sum 
mport choiceSetU 
mport process 
mport Data.String 
mport showFunction 
mport dataAuxFunction 
mport labelUniv 


renaming (_++_ to _++s_) 


o 


-o 
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A. Agda Code 

o-o 


_3>=Str_ : {cq : Choice} — >■ String 

—>• (ChoiceSet c 0 —>• String) —>• String 
s 3>=Str f=s ++s ";" —|—|—s choice2Str2Str / 


mutual 

_3>=oo_ : {z : Size} — > {lu : LUniv}{c 0 Ci : Choice} 
— y Processoo i {lu} Cq 
— > (ChoiceSet Co —> Process i {lu} c\) 

-> Processoo i {lu} c\ 

forcep (P ^$>=00 Q ) = forcep P 3>= <5 

Stroo (P 3>=oo (?) = Stroo P 3>=Str (Str o (?) 

_3>=_ : {i : Size} —> {/zz : LUniv}{co ci : Choice} 

—>• Process z {/zz} Co 
—>• (ChoiceSet Co —>■ Process i {lu} c\) 

—>• Process i {lu} c\ 

node P ^>= <5 = node (P 3>=+ (?) 

terminate a; Q = Q x 


_;§>=+_ : {z : Size} — » {/zz : LUniv}{c 0 C\ : Choice} 

—>• Process+ z {lu} c 0 
—> (ChoiceSet c 0 —)■ Process i {lu} ci) 

—> Process+ z {/zz} ci 
E (P>=+ Q) = E P 

Lab (F>=+ (?) = Lab P 

PE (P >=+ Q) c = PE P c >=00 Q 
I (P>=+Q) = I P l±l' T P 

PI (P 3>=+ (?) (inji c) = PI Pc 3>=oo <5 
forcep (PI (P >=+ (?) (inj 2 c)) = Q (PT P c) 

Stroo (PI (P »=+ (?) (inj 2 c)) = Str ((? (PT P c)) 
T (P>=+Q) =0’ 

PT (P»=+ (?) () 

Str+ (P >=+ (?) = Str+ P >=Str (Str o (?) 


_^>=+p_ : {z : Size} —> {lu : LUniv}{co c\ : Choice} —> Process+ z {/zz} c 0 
—>■ ( ChoiceSet c 0 —>■ Process z {/zz} ci) 

—» Process z {/zz} ci 
P »=+p Q = node (P »=+ (?) 


O- 


O 
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A.102. showFunction.agda 

o-o 


A. 102 showFunction.agda 


--@PREFIX@showFunction 
module showFunction where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 
mport auxData 
mport choiceSetU 
mport Size 
mport Data.List 

mport Data.List.Base renaming (map to mapL) 
mport Data.String renaming (_++_ to _++s_) 
mport showLabelP hiding (showLabel) 
mport choiceAuxFunction 
mport Data.Bool renaming (T to True) 
mport Data.Maybe 
mport Data.Sum 
mport labelUniv 


--@BEGIN@showProLab 

showProLab : { i : Size} — >• {c : Choice} — v {lu : LUniv} 

—> Process i {lu} c —> String 
showProLab (terminate x) = "" 

showProLab {z}{c} (node P) = unlinesWithChosenString 

II II 

((mapL (X c’ —> extChoiceEIToName (choice2Str {E P} c’) 
++s " : " 

++s showLabel (Lab P c ’)) 
(choice2Enum (E P))) 

4—F 

(mapL (X c —> intChoiceEIToName (choice2Str c) 

++s ":" 

++s "t") 

(choice2Enum (I P )))) 


--@END 


o 


-o 
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A. Agda Code 

o-o 


--(SBEGINGshowtick 

show/ : { i : Size} — ± {c : Choice} — > {lu : LUniv} 

—>• Process i {lu} c —> String 
show/ (node P) = unlinesWithChosenString 

II II 

(mapL (X t —> (choice2Str t 
— I—|—s ":" 

—I—|—s choice2Str (PT P t))) 
(choice2Enum (T P))) 
show/ (terminate a) = "" 


--0END 


--@BEGIN@proChoiceIsempty 

proChoicels0 : { i : Size} —>• {c : Choice} — > {lu : LUniv} 

—>■ Process i {lu} c —>■ Bool 

proChoicels0 (node P) = choicelsEmpty (E P) A choicelsEmpty (I P) 
proChoicels0 (terminate x) = true 


--(SEND 


--@BEGIN@proHasSuccessfullyTerminated 

proHasSuccessfullyTerminated : { i : Size} —* {c : Choice} — > {lu : LUniv} 

-A Process i {lu} c —» Bool 
proHasSuccessfullyTerminated (node P) = false 
proHasSuccessfullyTerminated (terminate x ) = true 


--(SEND 


--(SBEGIN(SproToI 

proTol : V {z} — > { c : Choice } — >■ {lu : LUniv} — > Process i {lu} c — >■ Choice 
proTol (node P) = I P 
proTol (terminate x) = fin 0 


a 
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A.102. showFunction.agda 

o-o 


--0END 


- -@BEGIN(SproToE 

proToE : V {z} —>• {c : Choice} — >• {lu : LUniv} 
—>• Process i {lu} c — > Choice 
proToE (node P) = E P 
proToE (terminate x ) = fin 0 


--SEND 


--(SBEGINGproToLab 

proToLab : V {*} — > {c : Choice} —» {lu : LUniv} 
— > (P : Process i {lu} c ) 

—> ChoiceSet (proToE P) 

—)• Label lu 

proToLab (terminate x) () 
proToLab (node P) x = Lab P x 


--(SEND 


--@BEGIN@proPToSubProinf 

proPToSubProoo : V {z} —>• {c : Choice} 

—> {lu : LUniv} 

—>• (P : Process i {lu} c ) 

— > ChoiceSet (proToE P) l±l ChoiceSet (proTol P) 
—)■ Processoo i {/n} c 
proPToSubProoo (node P) (injj c’) = PE P c’ 
proPToSubProcxa (node P) (inj 2 c’) = PI Pc’ 
proPToSubProoo (terminate x} (inji ()) 
proPToSubProoo (terminate x) (inj 2 ()) 


--(SEND 


o 


-o 
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A. Agda Code 

o-o 


--@BEGIN@proPToSubPrP 

proPToSubPrP : V {z} —* {j : Size< z} —> {c : Choice} — > {lu : LUniv} 

—> (P : Process z {lu} c ) 

—y ChoiceSet (proToE P) l±) ChoiceSet (proTol P) 
-» Process j c 

proPToSubPrP {z} {j} {c} P c’ = forcep (proPToSubProoo {z} {c} P c’) 


--0END 


--@BEGIN@choiceFunctionToString 


choiceFunctionToString : {co : Choice} —>• (c : Choice) 

—> (g : ChoiceSet c —» ChoiceSet co) —*■ String 
choiceFunctionToString {co} c g = unlinesWithChosenString 

II II 


(mapL (X x —> " (X " 

++s choice2Str x 
++s " -»• " 

++s choice2Str (a x) 
++s ")") 
(choice2Enum c)) 


choiceFunctionToStringi : {co : Choice} —» {c : Choice} 

—> (g : ChoiceSet c — > ChoiceSet co) —> String 
choiceFunctionToStringi {c 0 } {c} g = choiceFunctionToString {c 0 } c g 


--0END 


--@BEGIN@choicetwoStrtwoStr 


choice2Str2Str : {c : Choice} — >• (/: ChoiceSet c —> String) — )■ String 

choice2Str2Str {c} / = unlinesWithChosenString " " (mapL ((X x —> "(X " 

++s (choice2Str x) 
++s " ->■ " 

++s f x 
++s ")")) 


O- 


(choice2Enum c)) 


o 
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A. 103. showFunctionForSimulator.agda 

o-o 


--0END 


--@BEGIN@processToSubprocessz 

processToSubprocessO : V {*} —>• {c : Choice} — > {lu : LUniv} 

—>■ (P : Process i {lu} c ) 

—> ChoiceSet (proToE P) l±l ChoiceSet (proTol P) 
—y Processcx) i {lu} c 

processToSubprocessO (node P ) (inji c’) = PE P c’ 
processToSubprocessO (node P ) (inj 2 c’) = PI P c’ 
processToSubprocessO (terminate x) ( inj x ()) 
processToSubprocessO (terminate x) (inj 2 ()) 


--@END 


--@BEGIN@processToSubprocess 

processToSubprocess : V {z} —» {j : Size< i} —> {c : Choice} — >• {lu : LUniv} 

—> (P : Process i {lu} c ) 

—> ChoiceSet (proToE P) l±J ChoiceSet (proTol P ) 

—> Process j c 

processToSubprocess {z} {}} {c} P c’ = forcep (processToSubprocessO {z} {c} Pc} 


--(SEND 


A. 103 showFunctionForSimulator.agda 


module showFunctionForSimulator where 

open import process 
open import auxData 
open import choiceSetU 
open import Size 


o 


-o 
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A. Agda Code 

o-o 


open import Data.List 

open import Data.List.Base renaming (map to mapL) 

open import Data.String renaming (_++_ to _++s_) 

open import showLabelP hiding (showLabel) 

open import choiceAuxFunction 

open import Data.Bool renaming (T to True) 

open import Data.Maybe 

open import Data.Sum 

open import labelUniv 

showMayLab : {lu : LUniv} — > Maybe (Label lu ) —>■ String 
showMayLab (just l) = showLabel l 
showMayLab nothing = "t" 

showProLab : { i : Size} — {c : Choice} —> {lu : LUniv} —> Process i {lu} c —> String 

showProLab (terminate x) = "" 

showProLab (node P ) = unlinesWithChosenString 

II II 

((mapL (X c —^ extChoiceEIToName (choice2Str c) 

++s ":" 

++s showLabel (Lab P c)) 

(choice2Enum (E P))) 

H—b 

(mapL (X c —y intChoiceEIToName (choice2Str c) 

++s ":" 

TTs "t") 

(choice2Enum (I P )))) 


show/ : { i : Size} — > {c : Choice}— )■ {lu : LUniv} — > Process i {lu} c — )■ String 
show/ (node P) = unlinesWithChosenString 

II II 

(mapL (X t —> (terminationChoiceEIToName (choice2Str t ) 
++s ":" 

++s choice2Str (PT P t ))) 
(choice2Enum (T P ))) 

show/ (terminate a) = "" 


a 
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A. 103. showFunctionForSimulator.agda 

o-o 


proChoicels0 : { z : Size} — » {c : Choice} — >• {lu : LUniv} — > Process i {lu } c —>■ Bool 
proChoicels0 (node P) = choicelsEmpty (E P ) A choicelsEmpty (I P) 
proChoicels0 (terminate x) = true 


proHasSuccessfullyTerminated : { z : Size} —>■ {c : Choice} —>• {/zz : LUniv} —» Process z {/zz} c 
proHasSuccessfullyTerminated (node P) = false 
proHasSuccessfullyTerminated (terminate x) = true 


proToE : V {z} —> {c : Choice} — > {lu : LUniv} —$■ Process z {/zz} c —>■ Choice 
proToE (node P) = E P 
proToE (terminate x ) = fin 0 


proTol : V {z} — > {c : Choice} — y {lu : LUniv} — y Process z {lu} c -A Choice 
proTol (node P) = I P 
proTol (terminate x) = fin 0 

proPToSubProoo : V {z} —> {c : Choice} 

—> {lu : LUniv} 

—> (P : Process z {/zz} c) 

—> ChoiceSet (proToE P) l±) ChoiceSet (proTol P) 
—>• Processoo i {lu} c 

proPToSubProoo (node P) (inji c’) = PE Pc' 
proPToSubProoo (node P) (inj 2 c’) = P\ P c’ 
proPToSubProoo (terminate x) (inj x ()) 
proPToSubProoo (terminate x) (inj 2 ()) 


proPToSubPrP : V {z} —> {j : Size< z} — )■ {c : Choice} 

—)■ {lu : LUniv} 

—> (P : Process z {lu} c ) 

—>■ ChoiceSet (proToE P) l±l ChoiceSet (proTol P) 
—>• Process j {lu} c 

proPToSubPrP {z} {}} {c} P c’ = forcep (proPToSubProoo {z} {c} P c J ) 


o 


-o 
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A. Agda Code 

o-o 


choiceFunToStr : {c 0 : Choice} — >■ (c : Choice) 

—> ( g : ChoiceSet c —> ChoiceSet c 0 ) —>• String 
choiceFunToStr {c 0 } c g = unlinesWithChosenString 

II II 

(mapL (X x —> " (X " 

++s choice2Str x 
++s 11 " 

++s choice2Str (q x) 

++s ")") 

(choice2Enum c)) 

choiceFunToStr} : {c 0 : Choice} — > {c : Choice} 

—> ( g : ChoiceSet c —*■ ChoiceSet c 0 ) — > String 
choiceFunToStr} {c 0 } {c} g = choiceFunToStr {c 0 } c g 

choice2Str2Str : {c : Choice} — » (/: ChoiceSet c —> String) —> String 
choice2Str2Str {c} / = unlinesWithChosenString " " (mapL ((X x —> "(X " 

++s (choice2Str x) 
++s " ->• " 

++s f x 
++s ")")) 

(choice2Enum c)) 


A. 104 showLabelP.agda 


module showLabelP where 
open import label 

open import Data.String renaming (_++_ to _++s_) 

open import Data.String.Base 

open import Data.Bool 

open import Data.List.Base 

open import Data.List 

unlinesWithChosenString : String —> List String —» String 
unlinesWithChosenString s [] = "" 
unlinesWithChosenString s (s’ :: []) = s’ 

unlinesWithChosenString s (s ’ :: s” :: l ) = s’ ++s s ++s unlinesWithChosenString s (s” :: l) 


a 


o 
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A. 105. simulator.agda 
o-o 


showLabel : Label — > String 
showLabel laba = "a" 
showLabel labb = "b" 
showLabel labc = "c" 


Label List : List Label 

Label List = laba :: labb :: labc :: [] 


labelBoolFunToString : (Label — >■ Bool) — >■ String 
labelBoolFunToString / = unlines (map showLabel (filter / LabelList)) 


labelLabelFunToString : (Label —>- Label) —>• String 
labelLabelFunToString / = "[[" 

++s unlinesWithChosenString ", " (map (X l —> showLabel (/ 1) 
++s " <- " ++s showLabel l ) LabelList ) 

++s "]]" 


A. 105 simulator.agda 


--@PREFIX@mainsimulator 
module simulator where 


open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.Bool 
mport Data.Maybe 

mport Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

mport SizedlO.Base renaming (force to forcelO; delay to delaylO) 

mport SizedlO.Console hiding (main) 

mport choiceSetU 

mport process 

mport showFunction 


a 


-o 
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A. Agda Code 

o-o 


open import choiceAuxFunction 
open import Data.Sum 
open import UnitModule 
open import labelUniv 


mutual 

--@BEGIN@simulatorDefBlank 

myProgram : V {z} —> (displayProcess : Bool) {lu : LUniv} 
(c 0 : Choice) 

-> Process oo {lu} c 0 
—> lOConsole i Unit 
forcelO (myProgram {z} true Co P) = 

do’ (putStrLn (Str P)) X _ —* 
myProgram 0 true Co P (proChoicels0 P) 
(proHasSuccessfullyTerminated P ) 
myProgram {z} false c 0 P = 

myProgram 0 false c 0 P (proChoicels0 P) 
(proHasSuccessfullyTerminated P) 


--(SEND 


--@BEGIN@simulatorDefPartZero 

myProgram 0 : V {z} —> ( displayProcess : Bool) (co : Choice) 

{lu : LUniv} —> Process oo {lu} c 0 
—y (hasNoInternalOrExternalChoices : Bool) 

— y ( hasTerminated : Bool) 

—)■ lOConsole i Unit 

myProgramo displayProcess Co P false b = 

do (putStrLn 

("Termination-Events: " ++s show/ P)) X _ —>■ 

do (putStrLn 

("Events: " ++s showProLab P)) X _ — y 

do (putStrLn ("Choose Event")) X _ —> 
myProgrami displayProcess cq P 
myProgram 0 displayProcess Cq / true false = 

do (putStrLn "Program got stuck") X _ —> 
return unit 


a 


-o 
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A. 105. simulator.agda 
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myPrograrrio displayProcess Cq P true true = 

do (putStrLn 

"Program has successfully terminated") X _ —v 
return unit 


--(SEND 


--(SBEGINGsimulatorDefPartOne 

myProgrami : V {z} —> (displayProcess : Bool) — > (co : Choice) 
—> {lu : LUniv} —>■ Process oo {lu } Co 
—> lOConsole i Unit 

forcelO (myProgramx displayProcess c 0 P) = 

do' getLine X s — > 

myPrograrri 2 displayProcess cq P s 

(s ==strb "quit") 


--(SEND 


--(SBEGIN(SsimulatorDef PartTwo 

myProgram 2 : V {*} — y ( displayProcess : Bool) (c 0 : Choice) 

{lu : LUniv} ( P : Process oo {lu} c 0 ) 

—> String —> Bool 
—>• lOConsole i Unit 

my Program 2 displayProcess cq P s true = 

do (putStrLn "exiting") X _ —> 
return unit 

myProgram 2 displayProcess c 0 P s false = 
myProgram 3 displayProcess Cq P s (s ==strb "showProcess") 


myProgram 3 : V {*} —)■ (displayProcess : Bool) (c 0 : Choice) 
{lu : LUniv} (P : Process oo {lu} c 0 ) 

—y String —> Bool 
—> lOConsole i Unit 

forcelO (myProgram 3 displayProcess cq P s true) = 

do’ (putStrLn (Str P)) X _ —> 
myPrograrri 4 displayProcess Co P 
(lookupChoice (proToE P) (proTol P) s ) 


o 


-o 
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myProgram.3 displayProcess cq P s false = 

myProgram 4 displayProcess Cq P 

(lookupChoice (proToE P ) (proTol P) s) 


--(SEND 


--@BEGIN(SsimulatorDef PartThree 

myProgram 4 : V {z} —» ( displayProcess : Bool) (c 0 : Choice) {lu : LUniv} 

( P : Process oo {lu} Co) 

—» Maybe ((ChoiceSet (proToE P)) l±) (ChoiceSet (proTol P ))) 

—*■ lOConsole i Unit 

forcelO (myProgram 4 displayProcess c 0 P nothing) = 

do’ (putStrLn "please enter a choice amongst") X _ 
—y do (putStrLn (showProLab P)) X _ —» 
myProgrami displayProcess cq P 
forcelO (myProgram 4 displayProcess Co P (just (inj 4 ext))) = 

do’ (putStrLn 

("-" —|—|—s showLabel (proToLab P ext) ++s *" )) 

X _ 

myProgram displayProcess cq (proPToSubPrP P (inji ext)) 
forcelO (myProgram 4 displayProcess cq P (just (inj 2 int))) = 
do' (putStrLn "-t—>•" ) X _ —>■ 

myProgram displayProcess c 0 (proPToSubPrP P (inj 2 int)) 


--0END 


--OBEGINOsimulatorDefParti 

myProgrami : V {z} —*■ ( displayProcess : Bool){c 0 : Choice}{/?/ : LUniv} 

—> Process oo {lu} Co — > lOConsole i Unit 
myProgrami {z} displayProcess {cq} P = myProgram {z} displayProcess cq P 


--(SEND 


myProgramioo : ( displayProcess : Bool) {co : Choice} {lu : LUniv} 

—» Processoo oo {lu} cq —> lOConsole oo Unit 
myProgramioo displayProcess P = myProgrami {00} displayProcess (forcep P) 


a 


o 
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A. 106. simulatorCutDown.agda 

o-o 


compile : {c : Choice}}/?/ : LUniv}(j> : Processoo oo {lu} c ) —>■ NativelO Unit 
compile p = translatelOConsole (myProgramioo true p) 


A. 106 simulatorCutDown.agda 


module simulatorCutDown where 


open import Size 
open import Data.Sum 
open import Data.Bool 
open import Data.Maybe 
open import Data.List 

open import Data.String renaming (_==_ to ==strb ; _++_ to _++s_ 

open import SizedlO.Base renaming (force to forcelO; delay to delaylO) 

open import SizedlO.Console hiding (main) 

open import NativelO 

open import choiceSetU 

open import process 

open Processoo 

open Process+ 


) 


open 

open 

open 

open 

open 

open 

open 

open 


mport showFunction 
mport choiceAuxFunction 
mport label 
mport prefix 
mport primitiveProcess 
mport interleave 
mport UnitModule 
mport labelUniv 


mutual 

simulator : V {?} — {lu : LUniv}{co : Choice} 

—>- Process oo {lu} c 0 —» lOConsole i Unit 
forcelO (simulator P) = 

do’ (putStrLn (Str P )) X _ —^ 

do (putStrLn ("Termination-Events:" 

—I — |— s show/ P )) X _ —>■ 


a 


-o 
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A. Agda Code 
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do (putStrLn 

("Events" ++s showProLab P)) X _ —» 
do (putStrLn ("Choose Event")) X _ —» 

do getLine X s 

simulatori P (lookupChoice 
(proToE P) 

(proTol P) s ) 

simulator! : V {*} —» {lu : LUniv}{c 0 : Choice} 

—>■ (P : Process oo {lu} c 0 ) 

—> Maybe ((ChoiceSet (proToE P)) 
l±l (ChoiceSet (proTol P ))) 

—> lOConsole i Unit 
forcelO (simulator! P nothing) = 
do’ (putStrLn 

"please enter a choice amongst") X _ —y 
do (putStrLn (showProLab P)) X _ —* 

simulator P 

simulator! P (just C\) = 

simulator (proPToSubPrP P c\) 


setSTOP : Choice 

setSTOP = namedElements ("STOP" :: []) 

transition! : V i —> Process i {Isimple} setSTOP 

transition! i = (lab laba) —> delay ((lab labb) —>■ delay ((lab labc) 

transition 2 : V i —> Process i {Isimple} setSTOP 

transition 2 i = (lab laba) —> delay ((lab labb) —> delay ((lab labc) 

myResuItType : Choice 
myResuItType = setSTOP x’ setSTOP 

myProcess : Process oo {Isimple} myResuItType 
myProcess = transition! oo ||| transition 2 oo 


main : NativelO Unit 

main = translatelOConsole (simulator myProcess) 


delay (STOP {00} setSTOP 
delay {{ ({ i)} (STOP {00} 


a 
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module skip where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 

mport Data.String renaming ( 

mport Data.List 

mport process 

mport auxData 

mport dataAuxFunction 

mport choiceSetU 

mport labelUniv 


= to _==strb_; _++_ to _++s_) 


STOP+ : ( i : Size) — > {lu : LUniv} — > (c : Choice) —>• Process+ i {lu } c 
STOP+ % c = process+ 0 ’ efq efq 0 ' efq 0 ’ efq "STOP" 

STOP : (i : Size) —> {lu : LUniv} —» (c : Choice) —> Process i {lu} c 
STOP i c = node (process+ 0 ’ efq efq 0 ’ efq 0 ’ efq "STOP") 


SKIP+ : {lu : LUniv}{z : Size} — >■ {c : Choice} — > ( a : ChoiceSet c) 
—>■ Process+ i {lu} c 

SKIP+ {lu} a = process+ 0’ efq efq 0’ efq T’ (X _ — y a ) 

("SKIP(" ++s choice 2 Str a ++s ") ") 


SKIP : {lu : LUniv} {i : Size} —> {c : Choice} —> (a : ChoiceSet c) 
—*■ Process i {lu} c 
SKIP {lu} a = node (SKIP+ a ) 


TERMINATE : {i : Size} — >■ {lu : LUniv}{c : Choice} —$■ ( a : ChoiceSet c) -> Process i {lu} c 
TERMINATE a = terminate a 

TERMINATEoo : {i : Size} {lu : LUniv}{c : Choice} —>• (a : ChoiceSet c) — > Processoo i { 
forcep (TERMINATEoo a) = TERMINATE a 

Stroo (TERMINATEoo a) = "terminate(" ++s choice 2 Str a ++s ")" 


o 


-o 
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SKIPL+ : {lu : LUniv}{i : Size} — >• {c : Choice} — > List (ChoiceSet c) Process+ * {lu} c 
SKIPL+ {lu} 1= process+ 0' efq efq 0’ efq (fin (length l )) (nth /) "SKIPL" 


A.108 test.agda 


--@PREFIX@main 
module test where 

--@BEGIN@natDef 
data N : Set where 
zero : N 
--0HIDE-BEG 
sue : N —> N 
--0HIDE-END 
--SEND 


--@BEGIN@colDef 
data color : Set where 
Red : color 
Green : color 
--0HIDE-BEG 
Blue : color 
--0HIDE-END 
--SEND 


open import Data.Bool 


A. 109 theoremProverAgdaChapterCod.agda 


--@PREFIX@maine 

module theoremProverAgdaChapterCod where 
--OBEGINOcolDef 


a 


-o 




790 


A. 109. theoremProverAgdaChapterCod.agda 
o-o 


data color : Set where 
Red : color 
Green : color 
Blue : color 


--(SEND 


- -@BEGIN(SswapCol 

swapColor : color — >■ color 
swapColor Red = Green 
swapColor Green = Red 


--(SEND 


--(SHIDE-BEG 
swapColor Blue = Red 
--(SHIDE-END 


--(SBEGIN(SnatDef 

data N : Set where 
zero : N 
succ : N —> N 


--(SEND 


--(SBEGIN(SplusOp 

_+_ : N ->■ N ->■ N 

zero + m = m 

succ n + m = succ (n + m) 


--(SEND 


--<SBEGIN(SdoublOp 
double : N — >■ N 


a 
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double zero = zero 

double (succ n) = succ (double n) 


--(SEND 


--(SBEGINGf ibDef 

fib : N N 

fib zero = zero 

fib (succ zero) = succ zero 

fib (succ (succ n )) = ^ n + fib (succ n) 


--(SEND 


open import Coinduction using (j}_ ; b ; oo) 
open import Size renaming (oo to oo’) 

- -@BEGIN(SstreamDef 

data stream : Set where 

: N — >■ oo stream — > stream 


--(SEND 


- -(SBEGINGstreamZero 

stream 0 : stream 

stream 0 = zero :: (JJ stream 0 ) 


--(SEND 


--(SBEGINGcontStream 

inc : N — > stream 

inc n = n :: (ft inc (succ n)) 


--(SEND 


- -@BEGIN(ScomStream 


a 
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addStream : stream — >■ stream — > stream 

addStream (x :: X]_) (y :: yi) = (x + y) :: (jj addStream (b Xi) (b yi)) 


--(SEND 


--@BEGIN(SdeDefination 
mutual 

record ooDelay (i : Size) (A : Set) : Set where 
coinductive 
field 

force : {] : Size< Delay 3 A 

data Delay (i : Size) ( A : Set) : Set where 
now : A —* Delay i A 
later : ooDelay i A —> Delay i A 


--(SEND 


--(SBEGIN(SBoolDef 

data Bool : Set where 
true : Bool 
false : Bool 


--(SEND 


--(SBEGIN(SorDef 

_or_ : Bool —> Bool —> Bool 
false or m = m 

true or m = true 


--(SEND 


a 
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--@BEGIN(SpostulateDef 

postulate _and_ : Bool — > Bool — >■ Bool 

postulate if_then_else_ : Bool — >■ Bool — > Bool — > Bool 


--(SEND 


--@BEGIN(SinfixlDef 

infixl 10 _or_ 

infixl 11 _and_ 

infixl 12 if_then_else_ 

--(SEND 


--@BEGIN@boolDef 

data B : Set where 
true : B 

false : B 


--(SEND 


--(SBEGINGorUnicode 

_V_ : B —^ B —> B 

true V true = true 

true V false = true 

false V true = true 

false V false = false 

--(SEND 

--(SBEGIN(SidExEx 

id : {A : Set} —> A —> A 
id x = x 


--(SEND 


--(SBEGIN(SidImEx 


a 
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id! : (A : Set) — >■ A —» A 
id i A x = x 


--(SEND 


- -@BEGIN(SidboolExEx 

True : Bool 
True = id true 


--(SEND 


- -@BEGIN(SidzeroExEx 
Zero : N 
Zero = id zero 


--(SEND 


--(SBEGIN(SidNatImEx 

Zero! : N 
Zero! = id x N zero 


--(SEND 


--(SBEGIN(SidBoolImEX 

true! : Bool 

truei = idi Bool true 


--(SEND 


- -@BEGIN(SimportMayEx 

import maybe 
--(SEND 


- -(SBEGINGf MayBeEx 


o 


-o 
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fMaybe : {A B : Set} — » (A — v B) —> maybe.Maybe A —> maybe.Maybe 5 
fMaybe / maybe.nothing = maybe.nothing 
fMaybe / (maybe.just x) = maybe.just (f x) 


--(SEND 


--import Data.Nat renaming ( I to N’) 
--open Data.Nat 

--@BEGIN(SzeroExNat 

Z : N 
Z = zero 


--SEND 


--@BEGIN@openImportEx 

open import maybe 
--(SEND 


--@BEGIN@fmaybeOpenlmportEx 

fMaybex : {A B : Set} —^(A—^B)—^ Maybe A —y Maybe B 
fMaybex / nothing = nothing 
fMaybex / (just x) = just (f x) 


--(SEND 


- -@BEGIN(SrecordDef 

record AB : Set where 
constructor pair 
field 

a : N 


a 
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b : Bool 


--SEND 
open AB 

postulate x : N 
postulate y : Bool 

--(SBEGINGrecordDefOne 

nl : AB 
nl = pair x y 


--SEND 


n2 : AB 

--(SBEGINGrecordDefTwo 
n2 = record{a = x; b = y} 


--(SEND 


n3 : AB 

--@BEGIN(SrecordDefThree 

a n3 = x 
b n3 = y 


--(SEND 


- -@BEGIN(SpostulateEx ample 

postulate A : Set 
postulate a’ : A 

postulate _==_ : A —> A —y Set 
postulate A -> A — > Set 


o 
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--(SEND 


--(SBEGINGlistDef 

data List (A : Set) : Set where 
[] : List A 

: A —)■ List A —> List A 


--(SEND 


- -@BEGIN(SwhereEx 

revList : (A : Set) — > List A —>• List A 
revList A list = refAux list [] 
where 

refAux : List A — > List A —> List A 

refAux [] xy = xy 

refAux ( x :: xs) xy = refAux xs (x :: xy) 


--(SEND 


- -@BEGIN(SmutualEx 


mutual 

data Even : Set where 
zero : Even 
sue : Odd —> Even 

data Odd : Set where 
sue : Even — >■ Odd 


--(SEND 


- -(SBEGINGmutualExtwo 

data Even’ : Set 
data Odd’ : Set 


a 
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data Even' where 
zero : Even' 
sue : Odd' — > Even' 

data Odd’ where 

sue : Even’ —> Odd’ 


--(SEND 


_<_ : N ->■ N ->■ Bool 
_ < zero = false 
zero < succ m = true 
succ n < succ m = n < m 


--@BEGIN@withEx 

MinN : N -)■ N ->• N 

MinN x y with (x < y) 
MinN x y \ true = x 
MinN x y \ false = y 


--(SEND 


--open import Data.Nat 

data Nat : Set where 
zero : Nat 
sue : Nat —> Nat 

--{-# BUILTIN NATURAL Nat #-> 
--{-# BUILTIN NATURAL N #-> 


o 
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{- aai : Lf aai = 0 -} 

{- {-# BUILTIN LIST List #-> {-# BUILTIN NIL [] #-> {-# BUILTIN CONS #-> -} 


data List 0 (A : Set) : Set where 
[] : List 0 A 

A —y List q A —y Listg A 


--(SEND 


--{-# COMPILED JO ATA List List [](::) #-> 

--(SBEGINGlistPragma 

{-# FOREIGN GHC type AgdaList a = [a] #-} 

{-# COMPILE GHC List = data AgdaList ([] | (:)) #-} 


--(SEND 


--(SBEGINGIOPostCom 

postulate 10 : Set —y Set 

--(SEND 

--{-# COMPILED_TYPE 10 10 #-} 

-- {-# FOREIGN GHC type AgdalO a = 10 a #-} 
-- {-# COMPILE GHC 10 = type AgdalO #-> 

--(SBEGIN(SCoIO 

{-# COMPILE GHC 10 = type 10 #-} 

--(SEND 


--(SBEGIN(SUnDef 


a 
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data Unit : Set where 
unit : Unit 


--SEND 


--{-# COMPILED OATA Unit () () #-} 
--(SBEGINCcoIOEx 

{-# COMPILE GHC Unit = data () (()) #-} 


--SEND 


--@BEGIN(SpostulateStringEx 

postulate String : Set 

{-# BUILTIN STRING String #-} 

postulate putStrLn : String —* 10 Unit 

{-# COMPILE GHC putStrLn = (\ s -> putStrLn (Data.Text.unpack s)) #-} 
--(SEND 

-- {-# COMPILED putStrLn (\ _ s -> Data.Text.10.putStrLn s) #-} 

--@BEGIN@comStrEx 

--{-# COMPILED_TYPE String String #-> 

--{-# COMPILED putStrLn putStrLn #-> 

--(SEND 


--(SBEGIN(SbotEx 
data T : Set where 


--(SEND 


--<SBEGIN(StopEx 

data T : Set where 
triv : T 


a 
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--(SEND 


--@BEGIN(SinductivDef 


mutual 
data U : 

A’ 

T’ 

Bool' 

IT 


Set where 
U 
U 
U 

(a : U)(6 : T 0 a —> U) — )■ U 


T 0 : U -> Set 
T 0 -L’ 

T 0 T’ 

T 0 Bool’ 

I (n’ a b ) = 


_L 

T 

Bool 

{x : T 0 a) ->• T 0 (b x ) 


--(SEND 


--(SBEGIN(SStreamDef 

record Stream (i : Size) : Set where 
coinductive 
field 

head : N 

tail : {] : Size< i } -> Stream j 


--(SEND 


open Stream 


O- 


O 
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- -@BEGIN(SconsAgdaCode 

cons : V {z} —> N —> Stream i —> Stream ('f i) 
head (cons ns) = n 

tail (cons ns) = s 

--(SEND 


--@BEGIN(SplusStreamAgdaCode 

_+s_ : V {z} —>■ Stream i —> Stream i —y Stream z 
head (s +s s') = head s + head s’ 

tail (s +s s’) = tail s +s tail s’ 

--(SEND 


--(SBEGINGisTrue 

T : Bool —y Set 
T true = T 
T false = _L 


--(SEND 


infix 4 _=_ 

-- \maine 
- -@BEGIN(SDef Eq 


o 
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data _=_ {a} {A : Set a} (x : A) : A -* Set a where 
instance ref I : x = x 


--(SEND 


{-# BUILTIN EQUALITY #-} 

--@BEGIN(SrewriteEx 

+0 : V n —> n + zero = n 
+0 zero = refl 

+0 (succ n) rewrite +0 n = refl 


--(SEND 


- -@BEGIN(SrewriteExDecoded 

+0’ : V n —> n + zero = n 
+0’ zero = refl 

+0' (succ n) with n + zero | +0' n 
+0’ (succ n) | .n \ refl = refl 

--(SEND 

-- \maine 
--(SBEGIN(SFin 

data Fin : N —> Set where 

zero : {n : N} — > Fin (succ n) 

sue : {n : N} —» Fin n —¥ Fin (succ n) 

--(SEND 

A. 110 theoremProverAgdaChapterCod2.agda 


- -(SPREFIXGmaineTwo 

module theoremProverAgdaChapterCod2 where 
--(SBEGINGcolDef 


a 
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-- verison of theoremProverAgdaChapterCod 

-- where when two variants are the variants have no special symbol 

data color : Set where 
Red : color 
Green : color 
Blue : color 


--(SEND 


- -@BEGIN(SswapCol 

swapColor : color — color 
swapColor Red = Green 
swapColor Green = Red 


--(SEND 


--(SHIDE-BEG 
swapColor Blue = Red 
--(SHIDE-END 


--(SBEGIN(SnatDef 

data N : Set where 
zero : N 
succ : N — > N 

{-# BUILTIN NATURAL N #-} 


--(SEND 


--<SBEGIN(SplusOp 

_+_ : N ->• N ->• N 

zero + m = m 

succ n + m = succ (n + m) 


o 
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--(SEND 


--@BEGIN(SdoublOp 

double : N —> N 

double zero = zero 

double (succ n) = succ (double n) 


--(SEND 


--(SBEGIN(Sf ibDef 

fib : N ->■ N 

fib zero = zero 

fib (succ zero) = succ zero 

fib (succ (succ n )) = fib n + fib (succ n) 


--(SEND 


open import Coinduction using (jj_ ; b ; oo) 
open import Size renaming (oo to oo') 

- -@BEGIN(SstreamDef 

data stream : Set where 

: N —> oo stream —>• stream 


--(SEND 


- -@BEGIN(SstreamZero 

strem 0 : stream 

strem 0 = zero :: (jj strem 0 ) 


--(SEND 


- -@BEGIN(ScontStream 
inc : N — > stream 


a 
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in c n = n :: (ft inc (succ n)) 


--(SEND 


--@BEGIN(ScomStream 

addStream : stream —» stream —>• stream 

addStream (x :: Xi) (y :: t/i) = (x + y) :: (ft addStream (b x^ (b yi)) 


--(SEND 


- -(SBEGIN(SdeDef inat ion 
mutual 

record ooDelay (i : Size) (A : Set) : Set where 
coinductive 
field 

force : {j : Size< Delay j A 

data Delay (z : Size) (A : Set) : Set where 
now : A —> Delay z A 
later : ooDelay * i Delay z A 


--(SEND 


data Bool : Set where 
true : Bool 
false : Bool 


--<SBEGIN(SorDef 

_or_ : Bool —>- Bool —> Bool 
false or m = m 

true or m = true 


a 
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--(SEND 


--@BEGIN(SpostulateDef 

postulate _and_ : Bool —>- Bool —>■ Bool 

postulate if_then_else_ : Bool —> Bool —>• Bool —>• Bool 


--(SEND 


- -@BEGIN(Sinf ixlDef 

infixl 10 _or_ 

infixl 11 _and_ 

infixl 12 if_then_else_ 

--(SEND 


--(SBEGIN(SboolDef 

data B : Set where 
true : B 

false : B 


--(SEND 


--(SBEGINQorUnicode 

_V_ : B —» B —> B 

true V true = true 

true V false = true 

false V true = true 

false V false = false 

--(SEND 

--(SBEGIN(SidExEx 

id : {A : Set} —> A —> A 
id x = x 


a 
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--(SEND 


--(SBEGIN(SidImEx 

idi : (A : Set) —> A —> A 
idi A x = x 


--(SEND 


--(SBEGIN(SidboolExEx 

True : Bool 
True = id true 


--(SEND 


- -<SBEGIN(SidzeroExEx 
Zero : N 
Zero = id zero 


--(SEND 


--(SBEGIN(SidNatImEx 

Zeroi : N 
ZerOi = id! N zero 


--(SEND 


--(SBEGIN@idBoolImEX 

truei : Bool 

true! = id! Bool true 


--(SEND 


- -@BEGIN(SimportMayEx 
import maybe 


o 
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--(SEND 


--import Data.Nat renaming ( N to N’) 
--open Data.Nat 

--@BEGIN(SzeroExNat 

Z : N 
Z = zero 


--(SEND 


- -@BEGIN(SopenImportEx 

open import maybe 
--(SEND 


- -@BEGIN(Sf maybeOpenlmportEx 

fMaybe : {A B : Set} — > (A —> B) —)■ Maybe A —> Maybe B 
fMaybe / nothing = nothing 
fMaybe / (just x ) = just (/ x) 


--(SEND 


--(SBEGINGrecordDef 

record AB : Set where 
constructor pair 
field 

a : N 
b : Bool 


--(SEND 
open AB 


a 
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postulate x : N 
postulate y : Bool 

--(SBEGINGrecordDefOne 

nl : AB 
nl = pair x y 


--SEND 


n2 : AB 

--@BEGIN(SrecordDefTwo 
n2 = record{a = x; b = y} 


--(SEND 


n3 : AB 

- -@BEGIN(SrecordDef Three 

a n3 = x 
b n3 = y 

--(SEND 


--@BEGIN(SpostulateExample 

postulate A : Set 
postulate a' : A 

postulate _==_ : A —> A —» Set 
postulate : A —> A —>• Set 


--(SEND 


--(SBEGIN(SList 


o 
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data List (A : Set) : Set where 
[] : List A 

: A — >■ List A —>■ List A 
--(SEND 

{-# BUILTIN LIST List #-} 

--@BEGIN(SwhereEx 

revList : (A : Set) — » List A —* List A 
rev List A list = refAux list [] 
where 

refAux : List A — > List A — > List A 

refAux [] xy = xy 

refAux ( x :: xs ) xy = refAux xs (x :: xy) 


--@END 


--@BEGIN@mutualExtwo 

data Even : Set 

data Odd : Set 

data Even where 
zero : Even 
sue : Odd —> Even 

data Odd where 
sue : Even —*■ Odd 


--(SEND 


_<_ : N N ->• Bool 
_ < zero = false 
zero < succ m = true 
succ n < succ m = n < m 


a 
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--(SBEGINGwithEx 

MinNi : N —> N —> N 

MinNi x y with (x < y) 
MinNi x y | true = x 
MinNi x y | false = y 


--(SEND 


--@BEGIN@withminEx 

MinN : N N N 
MinN x y with (x < y) 
...| true = x 
...\ false = y 


--(SEND 


- -@BEGIN(SnestedPatt 

mutual 

f : N ->• N 

f zero = 1 

f (succ zero) = 2 

f (succ (succ x)) = g x 

g : N ->■ N 

g zero = 3 
g (succ n) = n 


--(SEND 


--open import Data.Nat 


o 
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data Nat : Set where 
zero : Nat 
sue : Nat — > Nat 

BUILTIN NATURAL Nat #-> 

BUILTIN NATURAL N #-} 

{- aa! : N aai = 0 -} 


{-# BUILTIN LIST List #-} {-# BUILTIN NIL [] #-} {-# BUILTIN CONS #-> -> 


--(SBEGINGlistDef 

data List 0 (A : Set) : Set where 
[] : List 0 A 

_!! ! A —y List 0 A —y Listg A 


--(SEND 


--(SBEGINGlistPragma 

--{-# COMPILED_DATA List List [](::) #-> 

{-# COMPILE GHC List = data MAlonzo.Code.Agda.Builtin.List.AgdaList ([] | (:)) ft-} 


--(SEND 


--(SBEGIN(SIOPostCom 
postulate 10 : Set —> Set 


--(SEND 


--(SBEGIN(SCoIO 


a 
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--{-# C0MPILED_TYPE 10 10 #-} 

{-# COMPILE GHC 10 = type MAlonzo.Code.Agda.Builtin.IO.AgdalO #-} 


--(SEND 


--OBEGINOUnDef 

data Unit : Set where 
unit : Unit 


--(SEND 


--(SBEGIN(ScoIOEx 


--{-# COMPILED_DATA Unit () () #-> 
{-# COMPILE GHC Unit = data () (()) #-} 


--(SEND 


- -@BEGIN(SpostulateStr ingEx 

postulate String : Set 

postulate putStrLn : String — > 10 Unit 


--(SEND 


- -@BEGIN(ScomStrEx 

--{-# COMPILED_TYPE String String #-> 
COMPILED putStrLn putStrLn #-} 


--(SEND 


--(SBEGIN(SbotEx 
data ± : Set where 


--(SEND 


--(SBEGIN(StopEx 


o 
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data T : Set where 
triv : T 


--(SEND 


--@BEGIN(SinductivDef 
mutual 

data U : Set where 
A’ : U 

T’ : U 

Bool’ : U 

[T : (a : U)(6 : T 0 a U) U 

T 0 : U — > Set 

T 0 A’ = A 

T 0 T’ = T 

T 0 Bool’ = Bool 

T 0 (n’a&) = (i : T 0 a) T 0 ( & i) 

--(SEND 


--@BEGIN(SStreamDef 

record Stream (* : Size) : Set where 
coinductive 
field 

head : N 

tail : {j : Size< Stream j 


--SEND 


o- 


o 
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open Stream 


- -@BEGIN(SconsAgdaCode 

cons : V {«} —» N — )• Stream i —> Stream i) 
head (cons ns) = n 

tail (cons ns) = s 

--(SEND 


--@BEGIN(SplusStreamAgdaCode 

_+s_ : V {z} —>■ Stream i —> Stream i —y Stream i 
head (s +s s’) = head s + head s’ 

tail (s +s s’) = tail s +s tail s’ 


--(SEND 


-- \maineTwo 
--(SBEGIN® IsEven 

data IsEven : N — > Set where 
evenO IsEven 0 

evenSuc {n : N} —> IsEven n —> IsEven (succ (succ n)) 


--(SEND 


-- \maineTwo 
- -@BEGIN(Sevenplus 


o 


-o 
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even+ : (n m : N) —> IsEven n —> IsEven m —> IsEven (n + m) 
even+ .0 m evenO pm = pm 

even+ .(succ (succ n)) m (evenSuc {n} pn ) pm = evenSuc (even+ n m pn pm) 


--0END 


A. 111 theoremProver AgdaChapterCod3.agda 


--@PREFIX@mainethree 

module theoremProverAgdaChapterCod3 where 

open import Size 
open import Data.String 
open import Data.Unit 


-- \mainethree 
--@BEGIN@Maybe 

data Maybe (A : Set) : Set where 
nothing : Maybe A 
just : A —>■ Maybe A 


--0END 


-- \mainethree 
--@BEGIN@IOInterface 

record lOInterface : Seti where 
field 

Command : Set 

Response : Command — > Set 


--(SEND 

open lOInterface public 
mutual 

-- \mainethree 


a 


o 
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--(SBEGINGIO 

record 10 (z : Size) (/ : IOInterface)(A : Set) : Set where 
coinductive 
constructor delay 
field 

force : {j : Size< z} — > 10’ j IA 

data 10’ (z : Size) (/: lOInterface) (A : Set) : Set where 
do' : (c : / .Command) (/: / .Response c — > 10 i I A) —v 10’ i I A 
return' : (a : A) —» 10' i I A 


--(SEND 


data 10+ (i : Siz e)(/: lOInterface) (A : Set) : Set where 
do’ : (c : / .Command) (/ : / .Response c — > 10 i I A) — » 10+ i I A 

open 10 public 

-- \mainethree 
--@BEGIN@ConsoleCommand 

data ConsoleCommand : Set where 
putStrLn : String — > ConsoleCommand 
getLine : ConsoleCommand 

ConsoleResponse : ConsoleCommand -+ Set 
ConsoleResponse (putStrLn s) = T 
ConsoleResponse getLine = String 

consolel : lOInterface 

consolel .Command = ConsoleCommand 
consolel .Response = ConsoleResponse 

lOConsole : Size —*■ Set — >■ Set 
lOConsole i = 10 i consolel 


--(SEND 


module _ {/ : lOInterface } where 


a 
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infixl 2 _»=_» = ’ »_ 

mutual 

-- \mainethree 
--@BEGIN@monadicBind 

: V{z}{A B : Set}(m : 10 ' il A) (k : A ->■ 10 (} i) I B) \0' i I B 
do ’ c f » = ' k = do’ c A x —> f x »= k 
return' a » = ’ k = (k a) .force 

_»=_ : V{z}{A B : Set}(m : 10 i I A) [k : A — > 10 * / B) —)• 10 i I B 
(m »= k ) .force = m .force »=’ k 

_»_ : V{z}{5 : Set} (m : 10 i I T) (jfc : 10 i I B) ->• 10 * I B 

m » k = m »= X _ —^ k 


--(SEND 


A. 112 traceEquivalence.agda 


--@PREFIX@maintraceEquivalence 


module traceEquivalence where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.List 
mport Data.Product 
mport Data.Maybe 
mport label 
mport process 
mport choiceSetU 
mport TraceWithoutSize 
mport RefWithoutSize 
mport labelUniv 


--@BEGIN@TrEqDef 


a 
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_=_ : {lu : LUniv}{co : Choice} — > (P Q : Process oo {lu} c 0 ) —>• Set 
P=Q=P\ZQx Q\ZP 


--(SEND 


- -@BEGIN(STrEqInf Def 

_=oo_ : {lu : LUniv}{co : Choice} —±(PQ\ Processoo oo {lu} c 0 ) —> Set 
P =oo Q = P Coo Q x Q Coo P 


--(SEND 


- -(SBEGIN(STrEqPlusDef 

_=+_ : {lu : LUniv}{c 0 : Choice} —t(PQ\ Process-)- oo {lu} c 0 ) —> Set 
P =+ Q = P C+ Q x Q C+ P 


--(SEND 


A. 113 tracelmpliesTraceP.agda 


module tracelmpliesTraceP where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport process 

mport choiceSetU 

mport labelUniv 

mport Size 

mport Data.Empty 

mport Data.List 

mport Data.Maybe 

mport Data.Sum 

mport TraceWithNextProcess 

mport TraceWithoutSize 

mport bisimilarity 


o 


-o 
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mutual 

termEquivalentlmpliesTrace : { lu : LUniv}{c : Choice}{x : ChoiceSet c} 

(P : Process oo {lu} c)(terequiv : TerminateEquivalent x P ) 

—* Tr [] (just x ) P 

termEquivalentlmpliesTrace {lu}{c} {a;} .(terminate x) termeqterm = ter x 
termEquivalentlmpliesTrace { lu}{c } {a;} .(node Q) (termeqnode { Q } terequiv) = 

termEquivalentlmpliesTraceaux Q terequiv (hasTauOrTick terequiv) 


termEquivalentlmpliesTraceaux : {lu : LUniv}{c : Choice}{a; : ChoiceSet c} 

(Q : Process+ oo {lu} c)(terequiv : TerminateEquivalent+ x Q ) 

—y (hasTauOrTick : ChoiceSet (I Q) l±) ChoiceSet (T Q) ) 

—> Tr [] (just x) (node Q) 

termEquivalentlmpliesTraceaux { lu}{c } {a;} Q terequiv (inji ic) = tnode (intc [] (just x ) ic 

(termEquivalentlmpliesTraceoo (PI Q ic) (onlylntChoice 
termEquivalentlmpliesTraceaux {lu}{c} {a;} Q terequiv (inj 2 tc) rewrite (termlsa terequiv tc ) = tnode 


termEquivalentlmpliesTraceoo : {lu : LUniv}{c : Choice}{a; : ChoiceSet c}(P : Processoo oo {lu} c ) 

(terequiv : TerminateEquivalentoo x P) 

—> Troo [] (just x) P 

termEquivalentlmpliesTraceoo {lu}{c} {a;} P terequiv = termEquivalentlmpliesTrace (forcep P) terequ 


mutual 

termEquivalentlmpliesTraceEmpty : {lu : LUniv}{c : Choice}{a; : ChoiceSet c}(P : Process oo {lu} c 

(terequiv : TerminateEquivalent x P) —>■ Tr [] nothing P 
termEquivalentlmpliesTraceEmpty {lu} {c} {a:} .(terminate x) termeqterm = empty x 
termEquivalentlmpliesTraceEmpty {lu} {c} {a:} .(node Q) (termeqnode {Q} terequiv ) = 

termEquivalentlmpliesTraceEmptyaux Q terequiv (hasTauOrTick tereq 


termEquivalentlmpliesTraceEmptyaux : {lu : LUniv}{c : Choice}{a; : ChoiceSet c}(Q : Process+ oo { 


a 
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(terequiv : TerminateEquivalent+ x Q) 

—* (hasTauOrTick : ChoiceSet (I Q) l±) ChoiceSet (T Q ) ) 

Tr [] nothing (node Q ) 

termEquivalentlmpliesTraceEmptyaux { lu}{c } {x} Q terequiv (inji ic) = tnode (into [] nothin] 

(termEquivalentlmpliesTraceEmptyoo (PI Q ic) (onlyln 
termEquivalentlmpliesTraceEmptyaux {Pu}{c} {x} Q terequiv (inj 2 tc) rewrite (termlsa tereqw, 


termEquivalentlmpliesTraceEmptyoo : {lu : LUniv}{c : Choice}{x : ChoiceSet c}(P : Process 

(terequiv : TerminateEquivalentoo x P) 

—> Trcx) [] nothing P 

termEquivalentlmpliesTraceEmptyoo {lu}{c} {x} P terequiv = termEquivalentlmpliesTraceEm 


mutual 

termEquivalentTracelsTerTrace+ : {lu : LUniv}{c : Choice}{x : Maybe (ChoiceSet c)} 

{a : ChoiceSet c}(P : Process+ oo {lu} c)(l: List (Labe 
(terequivP : TerminateEquivalent a (node P))(tr : Tr+ l : 
—> Tr lx (terminate a) 

termEquivalentTracelsTerTrace+ {lu}{c} {.nothing} {a} P .[] (termeqnode xi) empty = emp 
termEquivalentTracelsTerTrace+ {lu}{c} P .(Lab P x l ) (termeqnode terequivP) (extc l tic, 
termEquivalentTracelsTerTrace+ {lu}{c} P l (termeqnode terequivP) (intc .1 tick x tr) = 

termEquivalentTracelsTerTraceoo (PI P x) l (onlylntChoice 
termEquivalentTracelsTerTrace+ {lu}{c} {.(just (PT Pi))} {a} P .[] 

(termeqnode terequivP) (terc x) rewrite termlsa terequ 


termEquivalentTracelsTerTraceoo : {lu : LUniv}{c : Choice}{x : Maybe (ChoiceSet c)}{a : ( 

(P : Processoo oo {lu} c)(l : List (Label lu)) 

(terequivP : TerminateEquivalentoo a P)(tr : Troo l x P) 
—> Tr l x (terminate a) 

termEquivalentTracelsTerTraceoo {^}{c} {x} {a} P l terequivP tr = 

termEquivalentTracelsTerTrace (forcep P) 


<y 


-o 




823 


A. Agda Code 

o-o 


termEquivalentTracelsTerTrace : {lu : LUniv}{c : Choice}{a; : Maybe (ChoiceSet c)}{a : ChoiceSe 

(P : Process oo {lu} c){l : List (Label lu)) 

(terequivP : TerminateEquivalent a P)(tr : Tr l x P) 

—> Tr l x (terminate a) 

termEquivalentTracelsTerTrace {/n}{c} {a;} {a} .(terminate a) l termeqterm tr = tr 
termEquivalentTracelsTerTrace {/n}{c} {a;} {a} .(node P) l (termeqnode {P} terequivQ) (tnode tr) = 

termEquivalentTracelsTerTrace+ P l (termeqnode tereq 


mutual 

traceAppendTrwoo : {lu : LUniv}(c : Choice)(P : Processoo oo {lu} c)(Q : Process oo {lu} c) 

(4 4 : List (Label lu))(m : Maybe (ChoiceSet c)) 

(tri : P -)-oo*[ 4 ] Q){tr 2 '■ Tr 4 m Q) 

—> Troo (4 ++ 4) m P 

traceAppendTrwoo c P Q 4 4 m tr\ tr 2 = traceAppendTrw c (forcep P) Q 4 4 m tr\ tr 2 

traceAppendTrw : {lu : LUniv}(c : Choice)(P : Process 00 {lu} c) 

( Q : Process 00 {lu} c)(4 4 : List (Label lu))(m : Maybe (ChoiceSet c)) 

(tri : P -)•*[ 4 ] Q)(tr 2 : Tr 4 m Q) 

-)■ Tr (4 ++ 4) rn P 

traceAppendTrw c .(terminate x) .(terminate x) .[] 4 m (empty x) tr 2 = tr 2 

traceAppendTrw c .(node P) .(node P) .[] 4 m (tnode {.[]} {.(injx (node P))} {P} empty) tr 2 = tr 2 

traceAppendTrw c .(node P) Q .(Lab P x :: l) l 2 m (tnode {.(Lab Pa::: /)} {■ ( i n j 1 Q)} {-P} (extc l .(i 
= tnode (extc (l ++ l 2 ) m x (traceAppendTrwoo c (PE Pi) Q l 4 rri tr tr 2 )) 

traceAppendTrw c .(node P) Q 4 4 rri (tnode {.4} {.( inj 1 Q)} {P} (intc .4 .( inj 1 Q) x tr)) tr 2 
= tnode (intc (4 ++ 4) fn x (traceAppendTrwoo c (PI P x) Q 4 4 rri tr tr 2 )) 


traceAppendTrw+ : {lu : LUniv}(c : Choice)(P : Process+ 00 {lu} c)(Q : Process 00 {lu} c) 
(4 4 : List (Label lu))(m : Maybe (ChoiceSet c)) 

{tr 1 : P ->•+*[ 4 ] Q){tr 2 : Tr 4 m Q) 

->■ Tr+ (4 ++ 4) m P 

traceAppendTrw+ c P .(node P) .[] 4 m empty (tnode tr) = tr 
traceAppendTrw+ c P Q .(Lab P x :: l) l 2 m (extc l .(inji Q) x a;i) tr 2 
= extc {l ++ 4) m x (traceAppendTrwoo c (PE P x) Q 11 2 m x\ tr 2 ) 
traceAppendTrw+ c P Q 4 4 m (intc .4 .( inj 1 Q) x ai) tr 2 
= intc (4 ++ 4 ) m x (traceAppendTrwoo c (PI P x) Q 4 4 m X\ tr 2 ) 


a 
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mutual 

trPAppendTrwoo : {lu : LUniv}(c : Choice)(P : Processoo oo { lu } c)(Q : Process oo { lu } c) 
(4 4 : List (Label lu))(m : Process oo {lu} c l±) ChoiceSet c) 

(tri : P -4-00*[ 4 ] Q)(tr 2 : TrP l 2 m Q) 

—> TrPoo (4 ++ 4) m P 

trPAppendTrwoo c P Q 4 4 m tri tr 2 = trPAppendTrw c (forcep P) Q 4 4 m tr\ tr 2 

trPAppendTrw : {lu : LUniv}(c : Choice)(P : Process oo {lu} c)(Q : Process oo {lu} c) 

(4 h '■ List (Label lu))(m : Process oo {lu} c l±J ChoiceSet c) 

(tri ■ P ->*[ 4 ] Q)(tr 2 : TrP l 2 m Q ) 

— y TrP (4 H—b 4) vn P 

trPAppendTrw c .(terminate x ) .(terminate x ) .[] 4 ra (empty x) tr 2 = ir 2 
trPAppendTrw c .(node P) .(node P) .[] 4 m (tnode {.[]} {.( inj x (node P))} {P} empty) tr 2 ■ 
trPAppendTrw c .(node P) Q .(Lab P x :: l) l 2 m (tnode {.(Lab P x :: /)} {.(inji Q)} {P} (ex 

= tnode (extc (l ++ 4) fn x (trPAppendTrwoo c (PE Pi) Q 11 2 m tr tr 2 )) 

trPAppendTrw c .(node P) Q l\ 4 rri (tnode {.4} {-(inji Q)} {P} (intc .4 .( inji Q ) x tr)) tr 2 

= tnode (intc (4 ++ 4) m % (trPAppendTrwoo c (PI P x) Q 4 4 m tr tr 2 )) 


trPAppendTrw+ : {lu : LUniv}(c : Choice)(P : Process+ oo {lu} c)(Q : Process oo {lu} c) 

(4 4 : List (Label lu))(m : Process oo {lu} c l±) ChoiceSet c) 

(tr i : P -X+*[ 4 ] Q)(tr 2 : TrP 4 m Q) 

-x TrP+ (4 ++ 4) m P 

trPAppendTrw+ c P .(node P) .[] 4 ^ empty (tnode tr) = tr 
trPAppendTrw+ c P Q .(Lab P x :: l) l 2 m (extc l .(inji Q) % ^i) tr 2 
= extc (l ++ 4) fn x (trPAppendTrwoo c (PE P x) Q 11 2 m x± tr 2 ) 
trPAppendTrw+ c P Q 4 4 m (intc .4 -(inji Q) x X\) tr 2 
= intc (4 ++ 4) m x (trPAppendTrwoo c (PI P x) Q 4 4 m tr 2 ) 


mutual 

trPResuItToTrResult : {4i : LUniv}{c : Choice } (l : List (Label lu)) 

(me : Process oo {lu} c l±l ChoiceSet c) 

—x Maybe (ChoiceSet c) 
trPResuItToTrResult {lu}{c} l (inji -) 

= nothing 

trPResuItToTrResult {4i}{c} l (inj 2 x) = just x 


o 


-o 
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trPtoTroo : {lu : LUniv}{c : Choice } ( l: List (Label lu )) (me : Process oo {lu} c l±l ChoiceSet c) 

(P : Processoo oo {lu} c ) ( tr : TrPoo {/«}{c} l me P ) 

—» Troo {lu}{c} l (trPResuItToTrResult {lu}{c} l me) P 
trPtoTroo l me P tr 
= trPtoTr l me (forcep P) tr 

trPtoTr : {lu : LUniv}{c : Choice } (l: List (Label lu)) ( me : Process oo {lu} c l±J ChoiceSet c) 

(P : Process oo {lu} c) (tr : TrP {lu}{c} l me P) 

—> Tr {lu}{c} l (trPResuItToTrResult {lu}{c} l me) P 
trPtoTr .[] .( inj 2 x) .(terminate x) (ter x) = ter x 
trPtoTr .[] .(i nji (terminate x)) .(terminate x) (empty x) = empty x 
trPtoTr .[] .( inji (node P)) .(node P) (tnode {.[]} {.( inji (node P))} {P} empty) 

= tnode empty 

trPtoTr .(Lab P x :: l) (inji (terminate xi)) .(node P) (tnode {.(Lab P x :: /)} 

{.( inji (terminate xi))} {P} (extc l .(inji (terminate x±)) x x 2 )) 

= tnode (extc l (trPResuItToTrResult (Lab Pi:: 1) (inji (terminate xi))) x (trPtoTroo l (inji (_)) ( 
trPtoTr .(Lab Pi:: 1) (inji (node xi)) .(node P) (tnode {.(Lab Pi:: /)} {.(inji (node xi))} {P} (ext 
= tnode (extc l (trPResuItToTrResult (Lab Pi:: 1) (inji (node xi))) x (trPtoTroo l (inji (-)) (PE I 
trPtoTr .(Lab Pi:: 1) (inj 2 y) .(node P) (tnode {.(Lab Pi:: 1)} {. ( i n j 2 y)} {P} (extc l . ( i n j 2 y) x x\) 
= tnode (extc l (trPResuItToTrResult (Lab Pi:: T) (inj 2 y)) x (trPtoTroo l (inj 2 y) (PE Pi) xi)) 
trPtoTr l me .(node P) (tnode {./} {.me} {P} (intc .1 .me x xi)) 

= tnode (intc l (trPResuItToTrResult l me) x (trPtoTroo l me (PI P x) xi)) 
trPtoTr .[] .( inj 2 (PT P x)) .(node P) (tnode {.[]} {.( inj 2 (PT P x))} {P} (terc x)) 

= tnode (terc x) 

trPtoTr+ : {lu : LUniv}{c : Choice } (l: List (Label lu)) (me : Process oo {lu} c l±l ChoiceSet c) 

(P : Process+ oo {lu} c) (tr : TrP+ {lu}{c} l me P) 

— y Tr+ {/n}{c} l (trPResuItToTrResult {lu}{c} l me) P 
trPtoTr+ .[] .(inji (node P)) P empty 
= empty 

trPtoTr+ .(Lab P x :: l) (inji (terminate xi)) P (extc l .(inji (terminate xi)) x x 2 ) 

= extc l (trPResuItToTrResult (Lab Px :: l) (inji (terminate xi))) x (trPtoTroo l (inji (-)) (PE Px 
trPtoTr+ .(Lab P x :: l) (inji (node xi)) P (extc l .(inji (node xi)) x x 2 ) 

= extc l (trPResuItToTrResult (Lab P x :: l) (inji (node Xi))) x (trPtoTroo l (inji (-)) (PE P x) x 2 ) 
trPtoTr+ .(Lab P x :: l) (inj 2 y) P (extc l .( inj 2 y) x Xi) 

= extc l (trPResuItToTrResult (Lab P x :: l) (inj 2 y)) x (trPtoTroo l (inj 2 y) (PE P x) xi) 
trPtoTr+ l me P (intc .1 .me x xi) 

= intc l (trPResuItToTrResult l me) x (trPtoTroo l me (PI P x) xi) 
trPtoTr+ .[] . ( inj 2 (PT Px)) P (terc x) 

= terc x 


a 
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--@PREFIX@mainTraceWithNextProcess 


module TraceWithNextProcess where 


open 

open 

open 

open 

open 

open 

open 

open 


mport Size 
mport Data.List 
mport Data.Product 
mport Data.Maybe 
mport labelUniv 
mport process 
mport choiceSetU 
mport Data.Sum 


mutual 

--@BEGIN@TrPPlusDef 

data TrP+ { lu : LUniv}{c : Choice } : (/ : List (Label lu )) 

—> Process oo {lu} c l±l ChoiceSet c 
—>• (P : Process+ oo {lu} c) —>■ Set where 
empty : {P : Process+ oo {lu} c} —>• TrP+ {lu} [] (inji (node P)) P 
extc : {P : Process+ oo {lu} c} 

—> (l : List (Label lu)) 

—» ( tick : Process oo {lu} c l±l ChoiceSet c) 

—» (x : ChoiceSet (E P)) 

—> TrPoo {lu} l tick (PE P x) 

—> TrP+ {lu} (Lab P x :: l) tick P 
intc : {P : Process+ oo {lu} c} 

—> (l: List (Label lu)) 

—> (tick : Process oo {lu} c l±) ChoiceSet c) 

-> (x : ChoiceSet (I P)) 

—> TrPoo {lu} l tick (PI P x) 

—y TrP+ {lu} l tick P 
terc : {P : Process+ oo {lu} c} 

—> (x : ChoiceSet (T P)) 

->■ TrP+ {lu} [] (inj 2 (PT P x)) P 


<y 
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--(SEND 


--@BEGIN(STrPDef 

data TrP { lu : LUniv}{c : Choice } : (/: List (Label lu)) 

—> Process oo {lu} c l±l ChoiceSet c 
—> ( P : Process oo {lu} c) — > Set where 
ter : ( x : ChoiceSet c) —>■ TrP {lu} [] (inj 2 x) (terminate x) 

empty : (x : ChoiceSet c) -)• TrP {lu} [] (injx (terminate x )) (terminate x) 
tnode : {/ : List (Label lu)} 

—>■ {x : Process oo {lu} c l±l ChoiceSet c} 

—>■ {P : Process-1- oo {lu} c} 

—> TrP+ {lu} {c} l x P 
—> TrP {lu} l x (node P) 


--(SEND 


- -@BEGIN(STrPInf Def 

TrPoo : {lu : LUniv}{c : Choice} (l: List (Label lu)) 
(tick : Process oo {lu} c l±l ChoiceSet c) 

(P : Processoo oo {lu}c) —>■ Set 
TrPoo {lu} {c} l tick P = TrP {lu} l tick (forcep P) 


--(SEND 


?-oo*[_]_ : {lu : LUniv}{c : Choice}(P : Processoo oo {lu} c) 
(l : List (Label lu)) 

(Q : Process oo {lu} c) —>■ Set 
?-oo*[_]_ {lu} {c} P l Q = TrPoo {lu} {c} l (inji Q) P 

-- P —)-oo* [ 1 ] Q = TrPoo {lu} 1 (inji Q) P 

_—>*[_]_ : {lu : LUniv}{c : Choice}(T’: Process oo {lu} c) 

(l : List (Label lu)) 

(Q : Process oo {lu} c) —>■ Set 
{lu} { c } PI Q= TrP {lu} {c} l (inji Q) P 

— P -M>[ 1 ] Q = TrP {lu} 1 (inji Q) P 

--(SBEGIN(STrsyntacs 

_—)■+*[_]_ : {lu : LUniv}{c : Choice}(F : Process-P oo {lu} c) 


a 
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(/: List (Label lu )) 

(Q : Process oo {lu} c ) —>■ Set 
_-»+*[_]_ {lu} {c} P l Q = TrP-p {lu} {c} l (inji Q ) P 


--(SEND 


-- P ->+*[ 1 ] Q = TrP+ {lu} 1 (inji Q) P 


TrP+2c : {lu : LUniv}{c : Choice } (l : List (Label lu)) 
—y (m : Process oo {lu} c l±) ChoiceSet c) 

—y (P : Process-P oo {lu} c) 

—y TrP+ {lu} l m P 
—y Choice 

TrP+2c {lu} {c} l m P x = E P 


TrP+2cs : {lu : LUniv} {c : Choice } {l : List (Label lu)) 

—v (m : Process oo {lu} c l±) ChoiceSet c) 

—> (P : Process-1- oo {lu} c) 

—> TrP-p {lu} l m P 
—y Set 

TrP+2cs {lu} {c} l m P x = ChoiceSet (TrP+2c {lu} l m P x) 


TrP+2P : {lu : LUniv} {c : Choice } (l: List (Label lu)) 
(m : Process oo {lu} c l±J ChoiceSet c) 
—y(P\ Process-P oo {lu} c) 

—> TrP-p {lu} l m P 
—> Process-P oo {lu} c 
TrP+2P {lu} {c} l m P x = P 


TrP+2Q : {lu : LUniv}{c : Choice } (l : List (Label lu)) 
—y (m : Process oo {lu} c l±J ChoiceSet c) 

—y (P : Process-P oo {lu} c) 

—y TrP-p {lu} l m P 
—y Process oo {lu} c 


a 
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TrP+2Q { lu } {c} l (inji x) P xi = x 
TrP+2Q {lu} {c} l (inj 2 y) P x = terminate y 


forcetP’ : {lu : LUniv}{c : Choice}(/ : List (Label lu)) 
(tick : Process oo {lu} c l±J ChoiceSet c) 
—>■ (P : Process+ oo {lu} c) 

—> TrP {lu} {c} l tick (node P) 

—> TrP+ {lu} {c} l tick P 
forcetP' l tick P (tnode q) = q 


delaytP : {lu : LUniv}{c : Choice} (l: List (Label lu)) 
(tick : Process oo {lu} c l±J ChoiceSet c) 

—> {P : Process+ oo {lu} c} 

—> TrP+ {lu} {c} l tick P 
—>• TrPoo {lu} {c} l tick (delay (node P)) 
delaytP {c} l tick {F} p = tnode p 


forcetPoop : {lu : LUniv}{c : Choice} (l : List (Label lu)) 
(tick : Process oo {lu} c l±) ChoiceSet c) 

—>■ {P : Processoo oo {lu} c} 

—> TrPoo {lu} {c} l tick P 
—> TrP {lu} {c} l tick (forcep P) 
forcetPoop {c} l tick {P} x = x 


mutual 

refITrP : {lu : LUniv}{c : Choice} (P : Process oo {lu} c) 

—> TrP {lu} [] (inji P) P 
refITrP {c} (terminate x) = empty x 
refITrP {c} (node Q) = tnode empty 

refITrPoo : {lu : LUniv}{c : Choice} (P : Processoo oo {lu} c) 
—> TrPoo {lu} [] (inji (forcep P)) P 


a 
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refITrPoo P = refITrP (forcep P) 


--OBEGINOrefTrPDef 

-OoCp_ : {lu : LUniv}{c : Choice} (P : Process oo { lu } c) 

(Q : Process oo {lu} c) —>■ Set 
-OoCp_ {/?/.}{c} P Q = (/: List (Label lu)) 

—>■ (m : Process oo {/n} c l±l ChoiceSet c) 
—* TrP {/?/} I m Q —TrP {/n} l m P 

--(SEND 

ooRefp = _oo^p_ 

- -@BEGIN(Sref TrPInf Def 

_ooCoo_ : {/it : LUniv}{c : Choice} -4- (P : Processoo oo {lu} c) 

(Q : Processoo oo {lu} c) —> Set 
_ooCoo_ {lu}{c} P Q = (l : List (Label lu)) 

—>■ (m : Process oo {lu} c l±) ChoiceSet c) 

—7- TrPoo {lu} l m Q —P TrPoo {lu} l m P 


--(SEND 


ooRefoo = _oo[Ioo_ 

- -@BEGIN(Sref TrPPlusDef 

_ooC+_ : {lu : LUniv}{c : Choice} ( P : Process-P oo {lu} c) 

(Q : Process-P oo {lu} c) —> Set 
_ooC+_ {lu}{c} P Q = (/: List (Label lu)) 

— p (m : Process oo {lu} c l±) ChoiceSet c) 
—p TrP-P {lu} l m Q —p TrP+ {lu} l m P 


ooRef-P = _ooC+_ 


--(SEND 


o 


-o 
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--@BEGIN@EqTrPPlusDef 

_oo=p_ : {lu : LUniv}{c : Choice} — > (P Q : Process oo {lu } c) —> Set 
P oo=p Q = (P ooCp Q) x ( Q oolZp P) 


--(SEND 


--OBEGINOProofLawTrPDef 

reflooCp : {lu : LUniv}{c : Choice} — >■ (P : Process oo {lu} c) —> P ooCp P 
reflooCp P l m x = x 

antiSymooCp : {lu : LUniv}{c : Choice} — >■ (P Q : Process oo {lu} c) —» P oolZp Q 

—> Q ooCp P —* P oo=p Q 
antiSymooCp P Q PQ QP = PQ , QP 


transooCp : {lu : LUniv}{c : Choice} —>• (P Q R : Process oo {lu} c) —>• P ooCp Q 
—y Q ooCp R —» P ooCp R 

transooCp P Q R PQ QR l m tr = PQ l m (QR l m tr ) 


--(SEND 


A. 115 TraceWithout Size.agda 


--@PREFIX@traceWithoutSize 

module TraceWithoutSize where 

open import Size 
open import Data.List 
open import Data.Product 
open import Data.Maybe 
open import process 
open import choiceSetU 
open import labelUniv 


a 
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--@BEGIN@TrDefplus 
mutual 

data Tr+ {lu : LUniv}{c : Choice } : (/: List (Label lu)) 

—> (m : Maybe (ChoiceSet c)) 

—> ( P : Process+ oo {lu} c) Set where 
empty : {P : Process+ oo {lu} c} —>• Tr+ [] nothing P 
extc : {P : Process+ oo {lu} c} 

—* ( l : List (Label lu)) 

—> (me : Maybe (ChoiceSet c)) 

—» (x : ChoiceSet (E P)) 

—> (tr : Troo {lu} l me (PE P x)) 

—> Tr+ {lu} (Lab P x 1) me P 
intc : {P : Process+ oo {lu} c} 

—> (l : List (Label lu)) 

—> (me : Maybe (ChoiceSet c)) 

—> (x : ChoiceSet (I P)) 

—> (tr : Troo {lu} l me (PI P x)) 

—>■ Tr+ {lu} l me P 
terc : {P : Process+ oo {lu} c} 

—)■ (t : ChoiceSet (T P)) 

—> Tr+ {lu} [] (just (PT P t )) P 

--0END 

--OBEGINOTrDef 

data Tr {lu : LUniv}{c : Choice } : (/: List (Label lu)) 

(m : Maybe (ChoiceSet c)) 

(P : Process oo {lu} c) — * Set where 
ter : (x : ChoiceSet c) —> Tr {lu} [] (just x) (terminate x) 
empty : (x : ChoiceSet c) Tr {lu} [] nothing (terminate x) 
tnode : : List (Label lu)} 

—> {x : Maybe (ChoiceSet c)} 

—>• {P : Process+ oo {lu} c} 

—> (tr : Tr+ {lu} {c} l x P) 

—> Tr {lu} l x (node P) 


--@END 


--OBEGINOTrlnfDef 


o 


-o 
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Troo : {lu : LUniv}{c : Choice} (l : List (Label lu )) 

(tick : Maybe (ChoiceSet c)) 
(P : Processoo oo {lu} c ) —>■ Set 
Troo {c} l tick P = Tr l tick (forcep P) 


--SEND 


A. 116 trainExample.agda 


--@PREFIX@trainExample 
module trainExample where 


open 

import 

7 

Data.Bool hiding (_=_) 



open 

import 

Data.Sum 



open 

import 

Data.Maybe 



open 

import 

Data.Bool.Base renaming (T to T’) hie 

ling (_= 

open 

import 

libBool 



open 

import 

auxData 



open 

import 

libList 



open 

import 

libEq 



open 

import 

Data.String 



open 

import 

Data.String renaming 

(-==- t0 

==strb 

open 

import 

Data.List renam 

ng (_++_ to 

-++L 

open 

import 

labelUniv 



open 

import 

Size 



open 

import 

process 



open 

import 

choiceSetU 



open 

import 

choiceFromList 



open 

import 

preFix 



open 

import 

simulator 



open 

import 

NativelO 



open 

import 

SizedlO.Console hiding ( 

main) 


open 

import 

externalChoice 



open 

import 

Data.Fin 



open 

import 

Data.Nat hiding (_=_) 



open 

o- 

import 

paral lelSim pie 




-++_ to _++s_) 
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open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


mport choiceSetU 

mport interleave 

mport hidingOperator 

mport renamingOperator 

mport primitiveProcess 

mport TraceWithoutSize 

mport RefWithoutSize 

mport SizedlO.Base 

mport renamingResult 

mport dataAuxFunction 

mport Relation.Nullary.Decidable 

mport Data.String 

mport UnitModule 


SEGMENT 


--@BEGIN@SEGMENT 

data SEGMENT : Set where segl : SEGMENT 
--(SEND 

_==segm_ : SEGMENT ->• SEGMENT ->■ Bool 
segl ==segm segl = true 

refl==segm : (s : SEGMENT) —> T’ (s ==segm s) 
refl==segm segl = _ 


sym==segm : (s s’ : SEGMENT) —y T’ ( s ==segm s’)— > T’ (s’ ==segm s ) 
sym==segm segl segl _ = _ 

transfsegm : (s s’ : SEGMENT) (Q : SEGMENT -»■ Set) 

— y T’ (s ==segm s’) 

—^ Q s —y Q s ’ 

transfsegm segl segl Q _ q = q 


o 


-o 
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showSEGMENT : (s : SEGMENT) -> String 
showSEGMENT segl = "segl" 

LabelListSEGMENT : List SEGMENT 
LabelListSEGMENT = segl :: [] 


labelSEGMENT : LUniv 

LUniv.Labelf labelSEGMENT = SEGMENT 

LUniv._==lf_ labelSEGMENT = _==segm_ 

LUniv.refl==lf labelSEGMENT {s} = refl==segm s 
LUniv.showLabelf labelSEGMENT = showSEGMENT 
LUniv.LabelListf labelSEGMENT = LabelListSEGMENT 
LUniv.sym==lf labelSEGMENT {s} {s’} = sym==segm s s’ 
LUniv.transf labelSEGMENT {s} {s’} = transfsegm s s’ 


SIGNAL 


--0BEGIN0SIGNAL 

data SIGNAL : Set where sigl sig2 : SIGNAL 

--SEND 

_==sig_ : SIGNAL ->■ SIGNAL ->■ Bool 
sigl ==sig sigl = true 

sig2 ==sig sig2 = true 

_ ==sig _ = false 

refl==sig : (s : SIGNAL) — * T’ (s ==sig s) 
refl==sig sigl = _ 
refl==sig sig2 = _ 


showSIGNAL : (s : SIGNAL) —» String 
showSIGNAL sigl = "sigl" 
showSIGNAL sig2 = "sig2" 


a 


<3 
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sym==sig : (s s’ : SIGNAL) — >• T’ (s ==sig s’)—,> T’ (s’ ==sig s) 

sym==sig sigl sigl _ = _ 

sym==sig sigl sig2 () 

sym==sig sig2 sigl () 

sym==sig sig2 sig2 _ = _ 

transfsig : (s s’: SIGNAL) ( Q : SIGNAL — y Set) 

->■ T’ (s ==sig s’) 

—^ Q s —y Q s ’ 

transfsig sigl sigl Q _ q = q 

transfsig sigl sig2 Q () 
transfsig sig2 sigl Q () 
transfsig sig2 sig2 Q _ q = q 


LabelListSIGNAL : List SIGNAL 
LabelListSIGNAL = sigl :: sig2 :: [] 


labelSIGNAL : LUniv 

LUniv.Labelf labelSIGNAL = SIGNAL 

LUniv._==lf_ labelSIGNAL = _==sig_ 

LUniv.refl==lf labelSIGNAL {/} = refl==sig l 
LUniv.showLabelf labelSIGNAL = showSIGNAL 
LUniv.LabelListf labelSIGNAL = LabelListSIGNAL 
LUniv.sym==lf labelSIGNAL {s} {s’} = sym==sig s s’ 
LUniv.transf labelSIGNAL {s} {s’} = transfsig s s’ 


TRAIN 


--@BEGIN@TRAIN 

data TRAIN : Set where ta tb : TRAIN 
--0END 

_==train_ : TRAIN — >■ TRAIN — >■ Bool 


o 


-o 
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ta ==train ta = true 

tb ==train tb = true 

_ ==train _ = false 

refl==train : (s : TRAIN) —y T’ (s ==train s ) 
refl==train ta = 
refl==train tb = _ 

sym==train : (t t’ : TRAIN) —> T’ (t ==train t’)—> T’ ( 

sym==train ta ta _ = _ 

sym==train ta tb () 

sym==train tb ta () 

sym==train tb tb _ = _ 

transftrain : (t t’: TRAIN) (Q : TRAIN —> Set) 

—> T’ ( t ==train t’) 

—y Q t —y Q t ’ 

transftrain ta ta Q _ q = q 

transftrain ta tb Q () 

transftrain tb ta Q () 

transftrain tb tb Q _ q = q 

showTRAIN : (s : TRAIN) — > String 
showTRAIN ta = "ta" 
showTRAIN tb = "tb" 


LabelListTRAIN : List TRAIN 
LabelListTRAIN = ta :: tb :: [] 


labelTRAIN : LUniv 

LUniv.Labelf labelTRAIN = TRAIN 

LUniv._==lf_ labelTRAIN = _==train_ 

LUniv.refl==lf labelTRAIN {/} = refl==train l 
LUniv.showLabelf labelTRAIN = showTRAIN 
LUniv.LabelListf labelTRAIN = LabelListTRAIN 
LUniv.sym==lf labelTRAIN {t} {t’} = sym==train 11’ 
LUniv.transf labelTRAIN {f} {t’} = transftrain t t’ 


o 


’ ==train t) 


a 


-o 
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ASPECT 


--@BEGIN@ASPECT 

data ASPECT : Set where red green : ASPECT 

--(SEND 


_==aspect_ : ASPECT — > ASPECT — > Bool 
red ==aspect red = true 

green ==aspect green = true 
_ ==aspect _ = false 

refl==aspect : (s : ASPECT) —> T’ (s ==aspect s ) 
refl==aspect red = _ 
refl==aspect green = _ 

sym==aspect : (a a ’: ASPECT) —> T’ (a ==aspect a 1 )—} T’ (a’ ==aspect a ) 

sym==aspect green green _ = _ 

sym==aspect green red () 

sym==aspect red green () 

sym==aspect red red _ = _ 


transfaspect : (a a’ : ASPECT) ( Q : ASPECT — > Set) 
—> T’ (a ==aspect a’) 

—^ Q a —^ Q a ’ 

transfaspect green green Q _ q = q 

transfaspect green red Q () 
transfaspect red green Q () 
transfaspect red red Q _ q = q 

showASPECT : (s : ASPECT) — >■ String 
showASPECT red = "red" 
showASPECT green = "green" 


LabelListASPECT : List ASPECT 
LabelListASPECT = red :: green :: [] 


o 


-o 
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labelASPECT : LUniv 

LUniv.Labelf labelASPECT = ASPECT 

LUniv._==lf_ labelASPECT = _==aspect_ 

LUniv.refl==lf labelASPECT {/} = refl==aspect l 
LUniv.showLabelf labelASPECT = showASPECT 
LUniv.LabelListf labelASPECT = LabelListASPECT 
LUniv.sym==lf labelASPECT {a} { a = sym==aspect a a’ 
LUniv.transf labelASPECT {a} { a’} = transfaspect a a’ 


SEGSTATE 


--@BEGIN@SEGSTATE 

data SEGSTATE : Set where free blocked : SEGSTATE 
--(SEND 

_==segstate_ : SEGSTATE — » SEGSTATE — > Bool 
free ==segstate free = true 

blocked ==segstate blocked = true 

_ ==segstate _ = false 

refl==segstate : (s : SEGSTATE) —>- T’ (s ==segstate s) 
refl==segstate free = _ 
refl==segstate blocked = _ 

sym==segstate : (s s’: SEGSTATE) — > T' (s ==segstate s’)—.> T’ (s’ ==segstate s) 

sym==segstate free free _ = _ 

sym==segstate free blocked () 

sym==segstate blocked free () 

sym==segstate blocked blocked _ = _ 


transfsegstate : (ss’: SEGSTATE) (Q : SEGSTATE —> Set) 
—>- T’ (s ==segstate s’) 

—^ Q s —y Q s ’ 

transfsegstate free free Q _ q = q 


a 


o 
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transfsegstate free blocked Q () 
transfsegstate blocked free Q () 
transfsegstate blocked blocked Q _ q = q 

showSEGSTATE : (s : SEGSTATE) String 
showSEGSTATE free = "free" 
showSEGSTATE blocked = "blocked" 

LabelListSEGSTATE : List SEGSTATE 
LabelListSEGSTATE = free :: blocked :: [] 

labelSEGSTATE : LUniv 

LUniv.Labelf labelSEGSTATE = SEGSTATE 

LUniv._==lf_ labelSEGSTATE = _==segstate_ 

LUniv.refl==lf labelSEGSTATE {/} = refl==segstate l 
LUniv.showLabelf labelSEGSTATE = showSEGSTATE 
LUniv.LabelListf labelSEGSTATE = LabelListSEGSTATE 
LUniv.sym==lf labelSEGSTATE {s} = sym==segstate s s’ 

LUniv.transf labelSEGSTATE {s} {s’} = transfsegstate s s’ 


LabelTrains 


--@BEGIN(SLabelTrains 

data LabelTrains : Set where 

getSegm : TRAIN —>• SEGMENT —y SEGSTATE —> LabelTrains 

--(SEND 


--(SBEGINOLabelsetSegm 

setSegm : TRAIN — > SEGMENT — > SEGSTATE — >■ LabelTrains 

--(SEND 


--(SBEGIN(SLabelsetSig 

setSig : TRAIN —> SIGNAL —y ASPECT —> LabelTrains 

--(SEND 


--(SBEGIN(SLabelsetSigs 

setSigs : SIGNAL ASPECT 


o 


—>■ LabelTrains 


-o 
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--(SEND 


_==LabelTrains_ : LabelTrains — > LabelTrains — > Bool 

getSegm t seg segs ==LabelTrains getSegm t’ seg’ segs’ = 

==Triple {TRAIN} {SEGMENT} {SEGSTATE} _==train_ _==segm_ _== 
(A, {seg,, segs)) (t’ „ (seg’ „ segs’)) 
setSegm t seg segs ==LabelTrains setSegm t’ seg’ segs’ = 

==Triple {TRAIN} {SEGMENT} {SEGSTATE} _==train_ _==segm_ _=: 
(t„ (seg,, segs)) (t’ „ (seg’ „ segs’)) 
setSig t sig asp ==LabelTrains setSig t’ sig’ asp’ = 

==Triple {TRAIN} {SIGNAL} {ASPECT} _==train_==sig_==aspect 

(t „ (sig,, asp)) (t’ „ (sig’ „ asp’)) 
setSigs sig asp ==LabelTrains setSigs sig’ asp’ = 

==Pair {SIGNAL} {ASPECT} _==sig_==aspect_ 

(sig,, asp) (sig’,, asp’) 

_ ==LabelTrains _ = false 

refl==labelTrains : (l : LabelTrains) —> T’ (l ==LabelTrains l) 
refl==labelTrains (getSegm t seg segst) = 
refITriple {TRAIN} {SEGMENT} {SEGSTATE} _==train_ _==segm_ _== 
refl==train refl==segm refl==segstate (t „ (seg „ segst)) 
refl==labelTra ins (setSegm t seg segst) = 
refITriple {TRAIN} {SEGMENT} {SEGSTATE} _==train_ _==segm_ _== 
refl==train refl==segm refl==segstate (t „ (seg „ segst)) 
refl==labelTra ins (setSig t sig asp) = 

refITriple {TRAIN} {SIGNAL} {ASPECT} _==train_==sig_==aspect_ 

refl==train refl==sig refl==aspect (t „ (sig „ asp)) 
ref l==la belT ra ins (setSigs sig asp) = 

refIPair {SIGNAL} {ASPECT} _==sig_==aspect_ 

refl==sig refl==aspect (sig „ asp) 


sym==labelTrains : (IV: LabelTrains) — )■ T’ (l ==LabelTrains l’) 

—> T’ (V ==LabelTrains l) 

sym==labelTrains (getSegm t seg segst) (getSegm t’ seg’ segst’) = 

symTriple {TRAIN} {SEGMENT} {SEGSTATE} _==train_==segm_ 

sym==train sym==segm sym==segstate 

(t „ (seg,, segst)) (t’ „ (seg’ „ segst’)) 

sym==labelTrains (setSegm t seg segst) (setSegm t’ seg’ segst’) = 

symTriple {TRAIN} {SEGMENT} {SEGSTATE} _==train_==segm_ 

sym==train sym==segm sym==segstate 


segstate_ 


segstate_ 


segstate_ 


segstate_ 


_==segstate 


_==segstate 


a 
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(A, (seg,, segst)) (t’ „ (seg’ „ segst’)) 
sym==labelTrains (setSig t sig asp) (setSig t’ sig’ asp’) = 

symTriple {TRAIN} {SIGNAL} {ASPECT} _==train_==sig_==aspect_ 

sym==train sym==sig sym==aspect 
(t „ (sig,, asp)) (t’ „ (sig’ „ asp’)) 
sym==labelTrains (setSigs sig asp) (setSigs sig’ asp’) = 

symPair {SIGNAL} {ASPECT} _==sig_==aspect_ 

sym==sig sym==aspect 
(sig,, asp) (sig’,, asp’) 

sym==labelTrains (getSegm x x\ X 2 ) (setSegm x 3 x 4 x 3 ) () 
sym==labelTrains (getSegm x x 4 x 2 ) (setSig x 3 x 4 x 5 ) () 
sym==labelTrains (getSegm x x\ x 2 ) (setSigs x 3 x 4 ) () 
sym==labelTrains (setSegm x x 1 x 2 ) (getSegm x 3 x 4 x 5 ) () 
sym==labelTrains (setSegm x x 4 x 2 ) (setSig x 3 x 4 x 5 ) () 
sym==labelTrains (setSegm x x\ x 2 ) (setSigs x 3 x 4 ) () 
sym==labelTrains (setSig x x\ x 2 ) (getSegm x 3 x 4 x 5 ) () 
sym==labelTrains (setSig x x\ x 2 ) (setSegm x 3 x 4 x 5 ) () 
sym==labelTrains (setSig x x 4 X 2 ) (setSigs x 3 x 4 ) () 
sym==labelTrains (setSigs x x 4 ) (getSegm x 2 x 3 x 4 ) () 
sym==labelTrains (setSigs x x\) (setSegm x 2 x 3 x 4 ) () 
sym==labelTrains (setSigs x x\) (setSig x 2 x 3 x 4 ) () 

transflabelTrains : (IV: LabelTrains)(Q : LabelTrains — )• Set) 

—y T' (l ==LabelTrains V) 

->■ Q l ->• Q l’ 

transflabelTrains (getSegm t seg segst) (getSegm t’ seg’ segst’) Q = 

transfTriple {TRAIN} {SEGMENT} {SEGSTATE} ==train_==segm_ 

_==segstate_ transftrain transfsegm transfsegstate 

(t „ (seg,, segst)) (t’ „ (seg’,, segst’)) 

(X {(t „ (seg „ segst)) —> Q (getSegm t seg segst)}) 

transflabelTrains (setSegm t seg segst) (setSegm t’ seg’ segst’) Q = 

transfTriple {TRAIN} {SEGMENT} {SEGSTATE} ==train_==segm_ 

_==segstate_ transftrain transfsegm transfsegstate 

(t „ (seg,, segst)) (t’ „ (seg’ „ segst’)) 

(X {(t „ (seg „ segst)) —> Q (setSegm t seg segst)}) 

transflabelTrains (setSig t sig asp) (setSig t’ sig’ asp’) Q = 

transfTriple {TRAIN} {SIGNAL} {ASPECT} _==train_==sig 

_==aspect_ transftrain transfsig transfaspect 
(t „ (sig,, asp)) (t’ „ (sig’ „ asp’)) 

(X {(t „ (sig ,, asp)) —> Q (setSig t sig asp)}) 

transflabelTrains (setSigs sig asp) (setSigs sig’ asp’) Q = 


a 
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transfPair {SIGNAL} {ASPECT} _==sig_==aspect_ 

transfsig transfaspect 

{sig,, asp) {sig’ „ asp’) 

(X {{sig „ asp) —> Q (setSigs sig asp)}) 

transflabelTrains (getSegm x x\ x 2 ) (setSegm x 3 x 4 x$) Q () 
transflabelTrains (getSegm x x 4 x 2 ) (setSig x 3 x 4 x 5 ) Q {) 
transflabelTrains (getSegm x x 4 x 2 ) (setSigs x 3 x 4 ) Q () 
transflabelTrains (setSegm x x 4 x 2 ) (getSegm x 3 x 4 x 5 ) Q () 

transflabelTrains (setSegm x x 4 a^) (setSig x 3 x 4 a: 5 ) Q () 

transflabelTrains (setSegm x x± x 2 ) (setSigs S 3 x 4 ) Q () 
transflabelTrains (setSig x x\ x 2 ) (getSegm x 3 x 4 X 5 ) Q () 

transflabelTrains (setSig x x\ x 2 ) (setSegm a; 3 x 4 x$) Q () 

transflabelTrains (setSig x X\ x 2 ) (setSigs x 3 x 4 ) Q () 
transflabelTrains (setSigs x x 4 ) (getSegm x 2 x 3 x 4 ) Q () 
transflabelTrains (setSigs x x 4 ) (setSegm x 2 x 3 0 : 4 ) Q () 
transflabelTrains (setSigs x x 4 ) (setSig x 2 x 3 x 4 ) Q () 


showLabelTrains : (s : LabelTrains) — > String 

showLabelTrains (getSegm x x 4 x 2 ) = showTRAIN x ++s showSEGMENT x 4 ++s showSEGSTATE 
showLabelTrains (setSegm x x 4 x 2 ) = showTRAIN x ++s showSEGMENT x 4 ++s showSEGSTATE 
showLabelTrains (setSig x x 4 a; 2 ) = showTRAIN x ++s showSIGNAL x 4 ++s showASPECT x 2 

showLabelTrains (setSigs x x 4 ) = showSIGNAL x ++s showASPECT x 4 


LabelListLabelTrainsGetSegm : List LabelTrains 

LabelListLabelTrainsGetSegm = LUnion LabelListTRAIN X tr —)■ 

LUnion LabelListSEGMENT X segm —> 
LUnion LabelListSEGSTATE X segst —> 
getSegm tr segm segst :: [] 


LabelListLabelTrainsSetSegm : List LabelTrains 

LabelListLabelTrainsSetSegm = LUnion LabelListTRAIN X tr —>• 

LUnion LabelListSEGMENT X segm —> 
LUnion LabelListSEGSTATE X segst —> 
setSegm tr segm segst :: [] 


a 
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LabelListLabelTrainsSetSig : List LabelTrains 
LabelListLabelTrainsSetSig = LUnion LabelListTRAIN X tr —> 

LUnion LabelListSIGNAL X sig —» 
LUnion LabelListASPECT X asp —» 
setSig tr sig asp :: [] 


LabelListLabelTrainsSetSigs : List LabelTrains 

LabelListLabelTrainsSetSigs = LUnion LabelListSIGNAL X sig —>■ 

LUnion LabelListASPECT X asp —> 
setSigs sig asp :: [] 


LabelListLabelTrains : List LabelTrains 
LabelListLabelTrains = LabelListLabelTrainsGetSegm 

++I LabelListLabelTrainsSetSegm 
++I LabelListLabelTrainsSetSig 
++I LabelListLabelTrainsSetSigs 


labelTrains : LUniv 

LUniv.Labelf labelTrains = LabelTrains 
LUniv._==lf_ labelTrains = _==LabelTrains_ 

LUniv.refl==lf labelTrains {/} = refl==labelTrains l 
LUniv.showLabelf labelTrains = showLabelTrains 
LUniv.LabelListf labelTrains = LabelListLabelTrains 
LUniv.sym==lf labelTrains {/} {/’} = sym==labelTrains l V 
LUniv.transf labelTrains {/} = transflabelTrains l V 

|□ |tr : {i : Size} {c : Choice} {A : Set} —$■ List A —> (A —> Process i {labelTrains} c) —>• Proc 
j □ jtr If— |□ | {lu = labelTrains} l f 


a 


-o 
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A. Agda Code 

o-o 


--@BEGIN@SIGCTL 

SIGCTL : {i : Siz e}(sig : SIGNAL) — * Processcx) i {labelTrains} 0' 

forcep (SIGCTL sig ) = | □ | {lu = labelTrains} LabelListTRAIN X tr —> 

| □ | {lu — labelTrains} LabelListASPECT X asp —Y 
lab (setSig tr sig asp ) —Y SIGCTL sig 
Stroo (SIGCTL sig ) = "SIGCTL" ++s showSIGNAL sig 


--SEND 


setSTOP : Choice 

setSTOP = ((fin zero) l±)’ (fin zero)) 


□toStringSimple : String —y String —y String 
□toStringSimple str str’= str ++s " □ " ++s str’ 


□fmapNameSimple : String —y String 
□fmapNameSimple str = "fmap (" ++s str ++s ")" 


--OBEGINOSEGCTL 
mutual 

SEGCTL1 : {i : Size}(seg r : SEGMENT)(seg , stoie : SEGSTATE) 

—Y Processoo i {labelTrains} 0' 

forcep (SEGCTL1 seg segstate ) = |□ | tr LabelListTRAIN X tr 

lab (getSegm tr seg segstate ) 

— >• SEGCTL seg segstate 

Stroo (SEGCTL1 seg segstate) = "SEGCTL1" ++s showSEGMENT seg 

TTs showS EGSTATE segstate 

SEGCTL2 : {i : Size}(seg : SEGMENT)(seg , stoie : SEGSTATE) 

—Y Processoo i {labelTrains} 0’ 

forcep (SEGCTL2 seg segstate ) = | □ |tr LabelListTRAIN X tr —Y 

|□ |tr LabelListSEGSTATE X newsegstate — 


a 


-o 




846 


A. 116. trainExample.agda 
o-o 


Strcx) (SEGCTL2 seg segstate) 


lab (setSegm tr seg newsegstate) 

— > SEGCTL seg newsegstate 

"SEGCTL2" ++s showSEGMENT seg 

++s showSEGSTATE segstate 


SEGCTL : {i : Size}(seg : SEGMENT)(seg , stoie : SEGSTATE) 

— Processoo i {labelTrains} 0’ 

forcep (SEGCTL seg segstate ) = fmap {labelTrains} 01±)0—>0 


Stroo (SEGCTL seg segstate) 


( forcep (SEGCTL1 seg segstate) DwNam 
forcep (SEGCTL2 seg segstate) 

Using □toStringSimple , □fmapNameSimple , 

□fmapNameSimple) 

'SEGCTL" TTs showSEGMENT seg 

TTs showSEGSTATE segstate 


--SEND 


mutual 

--@BEGIN@TRAINENTER 

TRAINENTER : {i : Siz e}(tr : TRAIN)(seg : SEGMENT)(szg : SIGNAL) 

—>• Processoo i {labelTrains} 0' 

forcep (TRAINENTER tr seg sig) = lab (getSegm tr seg free) 

—)-pp ((lab (setSig tr sig green) 

—^pp (lab (setSegm tr seg blocked) 

—^ TRAIN LEAVE tr seg sig))) 

Stroo (TRAINENTER tr seg sig) = "TRAINENTER" ++s showTRAIN tr ++s 

showSEGMENT seg ++s showSIGNAL sig 


--SEND 


--@BEGIN@TRAINLEAVE 

TRAINLEAVE : {i : Siz e}{tr : TRAIN)(se^ : SEGMENT)(si^ : SIGNAL) 

—>• Processoo i {labelTrains} 0’ 

forcep (TRAINLEAVE tr seg sig) = lab (setSegm tr seg free) 

—j-pp (lab (setSig tr sig red) 

—)• TRAINENTER tr seg sig) 

Stroo (TRAINLEAVE tr seg sig) = "TRAINLEAVE" ++s showTRAIN tr ++s 

showSEGMENT seg ++s showSIGNAL sig 


o 


-o 
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A. Agda Code 

o-o 


--(SEND 


|||toStringSimple : String —> String —> String 
11 |toStringSimple str str’ = str ++s " III " ++s str’ 

fmapNameSimple : V{c} —»• ChoiceSet c —>- String — String 
fmapNameSimple {c} a str = "fmap (" ++s str ++s ")" 


--@BEGIN(SSYSTEMpartone 

SYSTEMpl : {i : Size} — >■ Processoo i {labelTrains} (0' x’ 0' x’ 0') 
SYSTEMpl = (SIGCTL sigl |||wl\lamoo SIGCTL sig2 

Using 111toStringSimpie , fmapNameSimple , fmapNameSimple) 
|||wNamoo SEGCTL segl free 

Using 111 toStringSim pie , fmapNameSimple , fmapNameSimple 

--(SEND 


-- ****** change last part to SEGCTL to be defined ****** 


| |]toStringSimpie : String —> String —> String 
j jjtoStringSimple str str’ = str ++s " [ I I ]" ++s str’ 


- -@BEGIN(SSYSTEMparttwo 

SYSTEMp2 : {i : Size} — >■ Processoo i {labelTrains} (0' x’ 0') 
SYSTEMp2 = TRAINENTER ta segl sigl |||wNamoo 
TRAINENTER tb segl sig2 Using 
11jtoStringSimple , fmapNameSimple , fmapNameSimple 

--(SEND 


--(SBEGIN(SSYSTEM 

SYSTEM : {i : Size} — > Processoo i {labelTrains} (0’ x' 0' x' 0' x' (0' x’ 0’)) 


a 


o 




848 


A. 116. trainExample.agda 
o-o 


SYSTEM = SYSTEMpl [ (X x ->■ true) ]||wNamoo[ (X M true) ] SYSTEMp2 
Using [||]toStringSimple , fmapNameSimple , fmapNameSimple 


--(SEND 


nameHidelnSystem : String —y String 
nameHidelnSystem str = "Hide (" ++s str ++s ")" 

nameEmpty : String — > String 
nameEmpty str = "" 

- -@BEGIN(SSYSTEMSHIDE 
hidelnSystem : Label labelTrains —> Bool 

hidelnSystem (lab (setSig_ )) = false 

hidelnSystem (lab (setSigs_ )) = false 

hidelnSystem l = true 

SYSTEMSHIDE : {i : Size} — » Processoo i {labelTrains} 

(0’ x’ 0’ x’ 0’ x’ (0’ x' 0’)) 

SYSTEMSHIDE = HideWithNamecx) nameHidelnSystem hidelnSystem SYSTEM 
--(SEND 


nameRenamlnSystem : String — » String 
nameRenamlnSystem str = "Renam (" ++s str ++s ")" 


--@BEGIN@SYSTEMSIGONLY 

renamelnSystem : Label labelTrains —*■ Label labelTrains 
renamelnSystem (lab (setSig x x\ a^)) = lab (setSigs x\ X 2 ) 

renamelnSystem l = l 


SYSTEM-SIGONLY : {i : Size} — > Processoo i {labelTrains} 

(0’ x' 0’ x' 0’ x’ (0' x’ 0’)) 

SYSTEM-SIGONLY = RenameWithNameoo nameRenamlnSystem 

renamelnSystem SYSTEMSHIDE 


--(SEND 


o 


-o 
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A. Agda Code 

o-o 


mainSIGCTL : lOConsole oo Unit 

mainSIGCTL = myProgramicx) false (SIGCTL sigl) 


main” : NativelO Unit 

main” = compile SYSTEMSHIDE 

main' : NativelO Unit 
main’ = compile SYSTEMpl 

BADSIGNALSstrl : String — » String — > String 
BADSIGNALSstrl s s’ = "BADSIGNALS" 

BADSIGNALSstr2 : String —y String 
BADSIGNALSstr2 s = "BADSIGNALS" 

BADSIGNALSstr3 : String — » String 
BADSIGNALSstr3 s = "BADSIGNALS" 

efq0l±)0 : V {X : Set} — >• ChoiceSet (0’ l±)’ 0’) — > X 
efq0l±)0 (inji ()) 
efq0l±)0 (inj 2 ()) 

BADSIGNALS : Processoo oo {labelTrains} (0’ x' 0' x’ 0’ x’ (0’ x’ 0')) 
BADSIGNALS = fmapoo efq0l±l0 

((lab (setSigs sigl green) — s-poo (lab (setSigs sig2 green) 

—» STOPoo (fin zero))) 

□wNamoooo 

(lab (setSigs sig2 green) — >poo (lab (setSigs sigl green) 

— » STOPoo (fin zero))) 

Using BADSIGNALSstrl , BADSIGNALSstr2 , BADSIGNALSstr3) 

main : NativelO Unit 

main = compile SYSTEM-SIGONLY 


a 


o 
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A. 117. trainExampleCorrected.agda 
o-o 


A. 117 trainExampleCorrected.agda 


--@PREFIX@trainExampleCorrected 

module trainExampleCorrected where 
--module trainExample where 


open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

o- 



7 

Data.Bool hiding (-=-) 

Data.Sum 

7 

Data.Bool.Base renaming (T to T’) hiding (_=-) 

libBool 

libList 

Data.String 

Data.String renaming to ==strb ; _++_ to _++s_) 

Data.List renaming (_++_ to ++I ; map to mapL) 

labelUniv 

Size 

process 

choiceSetU 

choiceFromList 

preFix 

simulator 

NativelO 

SizedlO.Console hiding (main) 

externalChoice 

Data.Fin 


Data.Nat hiding (_=_) 

para llelSim pie 

interleave 

hidingOperator 

renamingOperator 

SizedlO.Base 

renamingResult 

dataAuxFunction 

Relation. Nullary. Decidable 

Data.String 

UnitModule 

trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTE 

SYSTEMSHIDE ; SYSTEM-SIGONLY ; main ; TRAINEN 


-o 
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A. Agda Code 

o-o 


--@BEGIN@SEGCTL 
mutual 

SEGCTLa : {i : Size}(se <7 : SEGMENT)(se<?sta£e : SEGSTATE) 

—>• Processoo i {labelTrains} 0’ 

forcep (SEGCTLa seg segstate) = | □ |tr LabelListTRAIN X tr —Y 

lab (getSegm tr seg segstate ) 

—>SEGCTL1 seg segstate 

Stroo (SEGCTLa seg segstate ) = "SEGCTLa" ++s showSEGMENT seg 

TTs showSEGSTATE segstate 

SEGCTLb : {i : Size}(se <7 : SEGMENT) (segstate : SEGSTATE) 

—> Processoo i {labelTrains} 0' 

forcep (SEGCTLb seg segstate ) = |□ | tr LabelListTRAIN X tr —» 

|□ |tr LabelListSEGSTATE X newsegstate —y 
lab (setSegm tr seg newsegstate ) 

—)■ SEGCTL seg newsegstate 

Stroo (SEGCTLb seg segstate) = "SEGCTLb" ++s showSEGMENT seg 

++s showSEGSTATE segstate 


SEGCTL1 : {z : Size}(seg : SEGMENT)(seg , sfaie : SEGSTATE) 

—> Processoo i {labelTrains} 0' 

forcep (SEGCTL1 seg segstate) = |□ | tr LabelListTRAIN X tr —> 

|□ |tr LabelListSEGSTATE X newsegstate —> 
lab (setSegm tr seg newsegstate ) 

—>SEGCTL seg newsegstate 

Stroo (SEGCTL1 seg segstate ) = "SEGCTL1" ++s showSEGMENT seg 

++s showSEGSTATE segstate 

SEGCTL : {i : Size}(se <7 : SEGMENT)(seg , stofe : SEGSTATE) 

—*■ Processoo i {labelTrains} 0' 
forcep (SEGCTL seg segstate ) = fmap 0I±I0—s-0 

( forcep (SEGCTLa seg segstate ) DwNam 
forcep (SEGCTLb seg segstate ) 

Using DtoStringSimple , □fmapNameSimple , 

□fmapNameSimple) 

Stroo (SEGCTL seg segstate ) = "SEGCTL" ++s showSEGMENT seg 

++s showSEGSTATE segstate 


--(SEND 


a 
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A. 117. trainExampleCorrected.agda 
o-o 


mutual 

--(SBEGIN(STRAINENTER 

TRAINENTER : {i : Siz e}(tr : TRAIN)(se# : SEGMENT )(sig : SIGNAL) 

—> Processoo i {labelTrains} 0' 
forcep (TRAINENTER tr seg sig) = lab (getSegm tr seg free) 

— s-pp ((lab (setSig tr sig green) 

— s>pp (lab (setSegm tr seg blocked) 

— )• TRAIN LEAVE tr seg sig))) 

Stroo (TRAINENTER tr seg sig) = "TRAINENTER" ++s showTRAIN tr ++s 

showSEGMENT seg ++s showSIGNAL sig 


--@END 


--@BEGIN@TRAINLEAVE 

TRAINLEAVE : {i : Size}(fr : TRAIN)(se^ : SEGMENT )(sig : SIGNAL) 

—> Processoo i {labelTrains} 0' 
forcep (TRAINLEAVE tr seg sig) = lab (setSig tr sig red) 

— j-pp (lab (setSegm tr seg free) 

— > TRAINENTER tr seg sig) 

Stroo (TRAINLEAVE tr seg sig) = "TRAINLEAVE" ++s showTRAIN tr ++s 

showSEGMENT seg ++s showSIGNAL sig 


--(SEND 


--@BEGIN@SYSTEMpartone 

SYSTEMpl : {i : Size} — >■ Processoo i {labelTrains} (0' x’ 0' x’ 0') 
SYSTEMpl = (SIGCTL sigl |||wNamoo SIGCTL sig2 

Using 11|toStringSimple , fmapNameSimple , fmapNameSimple) 
|||wNamoo SEGCTL segl free 

Using 11(toStringSimple , fmapNameSimple , fmapNameSimple 

--(SEND 


- -(SBEGIN(SSYSTEMparttwo 


o 


-o 
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A. Agda Code 

o-o 


SYSTEMp2 : {i : Size} — » Processoo i {labelTrains} (0' x’ 0') 
SYSTEMp2 = TRAINENTER ta segl sigl |||wNamoo 
TRAINENTER tb segl sig2 Using 
|jjtoStringSimple , fmapNameSimple , fmapNameSimple 


--(SEND 


--@BEGIN@SYSTEM 

SYSTEM : {i : Size} — y Processcx) i {labelTrains} (0' x ’ 0' x ’ 0’ x ’ (0' x ’ 0')) 
SYSTEM = SYSTEMpl [ (X x — y true) ]||wNamoo[ (X x —» true) ] SYSTEMp2 
Using [|(jtoStringSimple , fmapNameSimple , fmapNameSimple 


--(SEND 


--OBEGINOSYSTEMSHIDE 

SYSTEMSHIDE : {i : Size} —> Processoo i {labelTrains} 

(0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) 

SYSTEMSHIDE = HideWithNameoo nameHidelnSystem hidelnSystem SYSTEM 
--(SEND 


--@BEGIN@SYSTEMSIGONLY 


SYSTEM-SIGONLY : {i : Size} —y Processcx) i {labelTrains} 

(0’ x' 0’ x' 0’ x’ (0’ x’ 0’)) 

SYSTEM-SIGONLY = RenameWithNameoo nameRenamlnSystem 

renamelnSystem SYSTEMSHIDE 


--(SEND 


main : NativelO Unit 

main = compile SYSTEM-SIGONLY 


A. 118 trainExampleCorrectedOptimized.agda 


--@PREFIX@trainExampleCorrectedOptimized 


o- 


o 
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A. 118. trainExampleCorrectedOptimized.agda 
o-o 


module trainExampleCorrectedOptimized where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


7 

mport Data.Bool hiding (_=_) 
mport Data.Sum 

mport Data.Bool.Base renaming (T to T’) hiding (_=_) 
mport libBool 
mport libList 
mport Data.String 

mport Data.String renaming (_==_ to ==strb ; _++_ to _++s_) 

mport Data.List renaming (_++_ to _++l_ ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 

mport preFix 

mport simulator 

mport NativelO 

mport SizedlO.Console hiding (main) 
mport externalChoice 
mport Data.Fin 

7 

mport Data.Nat hiding (_=_) 

mport para I lelSim pie 

mport interleave 

mport hidingOperator 

mport renamingOperator 

mport SizedlO.Base 

mport renamingResult 

mport dataAuxFunction hiding (test) 

mport Relation.Nullary.Decidable 

mport Data.String 

mport UnitModule 

mport trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTEMp 

SYSTEMSHIDE ; SYSTEM-SIGONLY ; main ; TRAINENTEI 
mport trainExampleCorrected hiding (main) 
mport process20ptimizedProcess 


o 


-o 
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A. Agda Code 

o-o 


OPTIMIZED-SYSTEM : Processcx) oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) 

OPTIMIZED-SYSTEM = optmizedProcessoo oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) SYSTEM-SIGONLY 


main : NativelO Unit 

main = compile OPTIMIZED-SYSTEM 

test : Process oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0')) 
test = forcep OPTIMIZED-SYSTEM {oo} 

testl : Choice 
testl = Ep test 

test2 : Choice 
test2 = Ip test 

test3 : Choice 
test3 = Tp test 


A. 119 trainExampleCorrectedOptimized2.agda 


--@PREFIX@trainExampleCorrectedOptimizedTwo 
module trainExampleCorrectedOptimized2 where 


open 

open 

open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


7 

mport Data.Bool hiding (_=_) 
mport Data.Sum 

7 

mport Data.Bool.Base renaming (T to T’) hiding (-=-) 
mport libBool 
mport libList 
mport Data.String 

mport Data.String renaming (_==_ to _==strb_; _+-1-_ to _+-|-s_) 

mport Data.List renaming (_++_ to _++l_ ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 


o 





856 


A. 119. trainExampleCorrectedOptimized2.agda 

o-o 


open import preFix 

open import simulator 

open import NativelO 

open import SizedlO.Console hiding (main) 

open import externalChoice 

open import Data.Fin 

7 

open import Data.Nat hiding (_=_) 

open import parallelSimple 

open import interleave 

open import hidingOperator 

open import renamingOperator 

open import SizedlO.Base 

open import renamingResult 

open import dataAuxFunction hiding (test) 

open import Relation.Nullary.Decidable 

open import Data.String 

open import UnitModule 

open import trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTEMp2 

SYSTEMSHIDE ; SYSTEM-SIGONLY ; main ; TRAINENTER 
open import trainExampleCorrected hiding (main) 
open import choiceSetUOptimized2 
open import process20ptimizedProcess2 


OPTIMIZED-SYSTEM : Processoo oo (0' x’ 0' x’ 0' x’ (0' x’ 0')) 

OPTIMIZED-SYSTEM = optmizedProcessoo oo (0’ x’ 0’ x’ 0’ x' (0’ x’ 0')) SYSTEM-SIGOP 


main : NativelO Unit 

main = compile OPTIMIZED-SYSTEM 

test : Process oo (0' x' 0’ x’ 0’ x’ (0' x' 0')) 
test = forcep OPTIMIZED-SYSTEM {oo} 

testl : Choice 
testl = Ep test 

test2 : Choice 
test2 = Ip test 


o 


-o 
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A. Agda Code 

o-o 


test3 : Choice 
test3 = Tp test 


A. 120 trainExampleCorrectedOptimized3.agda 


--@PREFIX@trainExampleCorrectedOptimizedThree 
module trainExampleCorrectedOptimized3 where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 
open 
open 
open 
open 
open 
open 
open 
open 
open 
o- 


7 

mport Data.Bool hiding (_=_) 
mport Data.Sum 

mport Data.Bool.Base renaming (T to T') hiding (-=-) 
mport libBool 
mport libList 
mport Data.String 

mport Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

mport Data.List renaming (_++_ to _++l_ ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 

mport preFix 

mport simulator 

mport NativelO 

mport SizedlO.Console hiding (main) 
mport externalChoice 
mport Data.Fin 

mport Data.Nat hiding (_=_) 

mport parallelSimple 

mport interleave 

mport hidingOperator 

mport renamingOperator 

mport SizedlO.Base 

mport renamingResult 

mport dataAuxFunction hiding (test) 

mport Relation.Nullary.Decidable 

mport Data.String 


o 
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A. 121. trainExampleCorrectedOptimized3ProofNonRefl.agda 
-o 


open import UnitModule 

open import trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTEMp2 

SYSTEMSHIDE ; SYSTEM-SIGONLY ; main ; TRAINENTER 
open import trainExampleCorrected hiding (main) 
open import choiceSetUOptimized3 
open import process20ptimizedProcess3 


OPTIMIZED-SYSTEM : Processoo oo (0’ x’ 0’ x’ 0' x’ (0’ x’ 0’)) 

OPTIMIZED-SYSTEM = optmizedProcessoo oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) SYSTEM-SIGOr 


main : NativelO Unit 

main = compile OPTIMIZED-SYSTEM 

test : Process oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0')) 
test = forcep OPTIMIZED-SYSTEM {oo} 

testl : Choice 
testl = Ep test 

test2 : Choice 
test2 = Ip test 

test3 : Choice 
test3 = Tp test 


A. 121 trainExampleCorrectedOptimized3ProofNonRe 


--@PREFIX@trainExampleCorrectedOptimizedThreeProofNonRefinement 

module trainExampleCorrectedOptimized3Proofl\lonRefinementl where 
--module trainExample where 

7 

open import Data.Bool hiding (_=_) 
open import Data.Sum 
open import Data.Unit 

open import Relation.Binary.PropositionalEquality 


o 


-o 
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A. Agda Code 

o-o 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


? 

mport Data.Bool.Base renaming (T to T’) hiding (_=_) 
mport libBool 

mport dataAuxFunction renaming (efq to efq^ 

mport process 

mport libList 

mport Data.String 

mport Data.Maybe 

mport Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

mport Data.List renaming (_++_ to _++l_ ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 

mport preFix 

mport simulator 

mport NativelO 

mport SizedlO.Console hiding (main) 
mport externalChoice 
mport Data.Fin 


open import Data.Nat hiding (_=_) 
open 
open 
open 
open 
open 

{- needed possibly for compilation-i¬ 


mport Data.Nat hiding (_ 
mport parallelSimple 
mport interleave 
mport auxData 
mport hidingOperator 
mport renamingOperator 


open import SizedlO.Base hiding (delay) 

open import renamingResult 

open import dataAuxFunction hiding (- 1 ) 

open import Relation.Nullary.Decidable 

open import Data.String 

open import UnitModule 

open import Data.Empty 

open import trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTEM ; SYSTEM 

SYSTEM-SIGONLY ; TRAINLEAVE ; TRAINENTER ; main) 
open import trainExampleCorrected 
open import TraceWithoutSize 
open import RefWithoutSize 


a 


o 
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A. 121. trainExampleCorrectedOptimized3ProofNonRefl.agda 
-o 


-- open import dataAuxFunction 
open import choiceSetl)Optimized3 
open import process20ptimizedProcess3 
open import trainExampleCorrectedOptimized3 

-- lemmalnotfinO : ((((Fin 0 l±J Fin 0) l±) Fin 0 l±J Fin 0) x 

-- ((Fin 0 l±J Fin 0) l±J Fin 0 l±) Fin 0)) 

-- x ((Fin 0 l±) Fin 0) l±J Fin 0 l±l Fin 0)) 

-- x (Fin 0 x Fin 0)((((Fin 0 l±J Fin 0) l±J Fin 0 l±l Fin 0) x 

-- ((Fin 0 l±) Fin 0) l±l Fin 0 l±) Fin 0)) 

-- x ((Fin 0 l±J Fin 0) l+J Fin 0 l±) Fin 0)) 

-- x (Fin 0 x Fin 0) —)■ _L 
-- lemmalnotfinO x = ? 

strAppend : String — >- String —>• String 
strAppend = primStringAppend 

fO : Choice 
fO = fin 0 

fl : Choice 
fl = fin 1 

badTraceLabels : List (Label labelTrains) 

badTraceLabels = lab (setSigs sigl green) :: lab (setSigs sig2 green) :: [] 

badTraceBadSignal : Troo {labelTrains} badTraceLabels nothing BADSIGNALS 
badTraceBadSignal = tnode (extc (lab (setSigs sig2 green) :: []) nothing (injx zero) 

(tnode (extc [] nothing zero 
(tnode empty)))) 

noTraceBadSignal : (m : Maybe (ChoiceSet (0’ x' 0' x' 0’ x’ (0' x’ 0')))) 

(l : List (Label labelTrains)) 

(tr : Troo {labelTrains} l m OPTIMIZED-SYSTEM) 

(mm’ : m = nothing) 

{IV : l = badTraceLabels) 

-»■ _L 

noTraceBadSignal .nothing .[] (tnode empty) mm’() 
noTraceBadSignal m 

.(renamelnSystem (Lab (((fmap+ cl±)’c->c (fmap+ cttl'c->c (process+ fl (X_—x lab (setS 

efqi fO efqi "(tasiglred -> SIGCTLsigl)" □+ process+ fl 


a 


-o 
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A. Agda Code 
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(X —y lab (setSig ta sigl green)) (X _ —>■ SIGCTL sigl) fO 

efqx fO efqi " (tasiglgreen -> SIGCTLsigl) ") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) (X _ —> SIGCTL sigl) fO 

efq x fO efqx "(tbsiglred -> SIGCTLsigl)" □+ process+ fl (X _ —>• lab (setSig tb sigl green)) 

(X _ —>■ SIGCTL sigl) fO efqx fO efqx " (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ 

fmap+ cl±l’c->c (fmap+ cl±l'c->c (process+ fl (X _ —>■ lab (setSig ta sig2 red)) (X _ —>• SIGCTL sig! 

efqx fO efqx "(tasig2red -> SIGCTLsig2)" □+ process+ fl (X _ —>- lab (setSig ta sig2 green)) 

(X _ —» SIGCTL sig2) fO efqx fO efqx " (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±l'c->c 
(process+ fl (X _ —?► lab (setSig tb sig2 red)) (X _ —* SIGCTL sig2) 
fO efqx fO efqx " (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) (X _ —* SIGCTL sig2) fO efqx fO 

efqx " (tbsig2green -> SIGCTLsig2) ")) Using (X str str’ —> strAppend str (strAppend " III " 
(X a str —> strAppend "fmap (" (strAppend str ")")) , (X a str —>■ strAppend "fmap (" (strAppen 
||wNam++ fmap+ 0l±)0->0 (fmap+ d±J’c->c (process+ fl (X _ —> lab (getSegm ta segl free)) (X _ 
efqx fO efqx "(taseglfree -> SEGCTLlseglf ree)" □+ process+ fl 
(X —> lab (getSegm tb segl free)) (X _ —» SEGCTL1 segl free) fO efqx fO efqx 
"(tbseglfree -> SEGCTLlseglf ree) ") DwNam+ fmap+ d±J'c->c (fmap+ cl±l’c->c (process+ fl 

(X —^ SEGCTL segl free) fO efqx fO efqx "(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X _ —>• lab (setSegm ta segl blocked)) (X _ —» SEGCTL segl blocked) fO efqx fO efqx 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l’c->c (process+ fl (X _ —> lab (setS 

(X —y SEGCTL segl free) fO efqx fO efqx "(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X _ —t- lab (setSegm tb segl blocked)) (X _ —y SEGCTL segl blocked) fO efqx fO efqx 
" (tbseglblocked -> SEGCTLseglblocked)")) Using (X str str ’ strAppend str (strAppend " C 
(X str -)• strAppend "fmap (" (strAppend str ")")) , (X str —>■ strAppend "fmap (" (strAppend str ' 
Using (X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —► strAppend "fmap (" (strAppend str ")")) , (X a str —>• strAppend "fmap (" (strAppend 
[ (X x —> true) ]||wNam+[ (X x —> true) ] process+ fl (X _ —» lab (getSegm ta segl free)) 

(X _ —> delay (node (process+ fl (X _ —> lab (setSig ta sigl green)) (X _ —>• delay (node 
(process+ fl (X _ —>- lab (setSegm ta segl blocked)) (X _ —> TRAIN LEAVE ta segl sigl) fO efqx fO 
efqx "(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqx fO 
efqx "(tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqx fO 
efqx "(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" | 
(X _ —>■ lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —>• delay (node (process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —>• TRAINLEAVE tb segl sig2) fO efqx fO efqx "(tbseglblocked -> TRAINLEAVEtbseglsig2)' 
efqx " (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqx fO 
efqx "(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Usin 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 


a 


o 




862 


A. 121. trainExampleCorrectedOptimized3ProofNonRefl.agda 
o-o 


(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —» strAppend str (strAppend " [ | | ]" str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: 4) (tnode ( 

noTraceBadSignal .nothing .[] (tnode (into .[] .nothing zero (tnode empty))) mm’ () 
noTraceBadSignal .nothing .(lab (setSigs sigl green) :: []) 

(tnode (into .(lab (setSigs sigl green) :: []) .nothing zero 
(tnode (extc .[] .nothing zero (tnode empty))))) mm’ () 
noTraceBadSignal m .(lab (setSigs sigl green) :: renamelnSystem 

(Lab (((fmap+ cl±)’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 
(fmap+ cl±)'c->c (fmap+ cl±)'c->c (process+ fl 
(X _ —>■ lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x " (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —> lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ ctd'c-' 
(X —^ lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqx fO efq x " (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —> lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ 
fmap+ cl±l'c->c (fmap+ cl±)'c->c (processT fl 
(X _ —> lab (setSig ta sig2 red)) 

(X _ —>• SIGCTL sig2) fO efqi fO efq x " (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X —y lab (setSig ta sig2 green)) 

(X _ — > SIGCTL sig2) fO efqi fO efq x " (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW'c-; 
(X _ —>• lab (setSig tb sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi " (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 

(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —» strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ d±l'c->c (fmap+ inji (fmap- 
(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efq x fO efqi " (taseglfree -> SEGCTLseglf ree)" □+ proce 

(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLseglblocked) 
(X —y lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efq x fO efqi " (tbseglfree -> SEGCTLseglf ree)" □+ proce 
(X _ —> lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLseglblocked) 
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-o 




863 


A. Agda Code 

o-o 


(X str str’ -} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) [ 

(X x —} true) ]||wNam+[ 

(X x —} true) ] process+ fl 

(X _ —>■ lab (setSegm ta segl blocked)) 

(X —} TRAINLEAVE ta segl sigl) fO efqi fO efqi " (taseglblocked -> TRAINLEAVEtaseglsigl)' 

(X _ —)► lab (getSegm tb segl free)) 

(X —} delay (node (process+ fl 

(X _ —>■ lab (setSig tb sig2 green)) 

(X _ —>■ delay (node (process+ fl 

(X —} lab (setSegm tb segl blocked)) 

(X _ —>• TRAINLEAVE tb segl sig2) fO efqi fO efqi 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Usinj 
(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ -} strAppend str (strAppend " [| |]" str’)) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) , 

(X a str—} strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) 

(tnode (intc .(lab (setSigs sigl green) :: renamelnSystem 
(Lab (((fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 
(fmap+ cl±l'c->c (fmap+ cl±t’c->c (process+ fl 
(X —} lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi "(tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X —} lab (setSig ta sigl green)) 

(X —} SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±J'c->c (proce 

(X _ —} lab (setSig tb sigl red)) 

(X —^ SIGCTL sigl) fO efqi fO efqi "(tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X _ —} lab (setSig tb sigl green)) 

(X _ —} SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wNam++ fmap+ 
d±l'c->c (fmap+ cl±)’c->c (process+ fl 
(X _ —>■ lab (setSig ta sig2 red)) 

(X —} SIGCTL sig2) fO efqi fO efqi "(tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X _ —> lab (setSig ta sig2 green)) 

(X —} SIGCTL sig2) fO efqi fO efqi " (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±J'c->c (proce 

(X _ —> lab (setSig tb sig2 red)) 

(X —} SIGCTL sig2) fO efqi fO efqi "(tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —^ lab (setSig tb sig2 green)) 


a 
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(X —y SIGCTL sig2) fo efq x fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 

(X str str’ —» strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 01±)0->0 (fmapWi 
(X str —} strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji (fmap- 
(X —} lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efq x fO efq x " (taseglfree -> SEGCTLseglf ree)" □+ proce 

(X _ —>• lab (setSegm ta segl blocked)) 

(X_ —} SEGCTL segl blocked) fO efq x fO efq x " (taseglblocked -> SEGCTLseglblockec 

(process+ fl 

(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efq x fO efq x "(tbseglfree -> SEGCTLseglf ree)" □+ proce 

(X —y lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efq x " (tbseglblocked -> SEGCTLseglblocked) 

(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efq x fO efq x " (taseglblocked -> TRAINLEAVEtaseg 

(X _ —> lab (getSegm tb segl free)) 

(X _ delay (node (processT fl 

(X —y lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X _ —»• lab (setSegm tb segl blocked)) 

(X —> TRAINLEAVE tb segl sig2) fO efq x fO efq x 

"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq x fO efq x 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efq x fO efq 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>■ strAppend str (strAppend " [| |]" str’)) , 

(X a str-t strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) 

(projSubset (nth [] _))) :: l) .m zero 

(tnode (extc .(renamelnSystem (Lab (((fmap+ cl±l'c->c (fmap+ inj x (fmap+ cl±l'c->c (frr 
(fmap+ cl±J’c->c (fmap+ cl±l’c->c (process+ fl 
(X —y lab (setSig ta sigl red)) 

(X —y SIGCTL sigl) fO efq x fO efq x " (tasiglred -> SIGCTLsigl)" □+ process+ fl 


o 
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(X _ —> lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl) ") □+ fmap+ cW’c->c (proa 

(X —^ lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efq! fO efq! " (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —>■ SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ fmap+ ct 
(X _ —> lab (setSig ta sig2 red)) 

(X —y SIGCTL sig2) fO efq! fO efqi "(tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi " (tasig2green -> SIGCTLsig2) ") □+ fmap+ c(±J’c->c (proa 

(X _ —> lab (setSig tb sig2 red)) 

(X —> SIGCTL sig2) fO efqi fO efqi " (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X _ —>■ lab (setSig tb sig2 green)) 

(X —^ SIGCTL sig2) fO efqi fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 

(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±l0->0 (fmapWithName- 
(X str —>■ strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inji (fmap+ cttJ’oO 
(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi " (taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X _ —>■ lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 

" (tbseglf ree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLseglblocked) ")))))) U 

(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wl\lam+[ 

(X x —y true) ] process+ fl 

(X _ -i lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efq x fO efqi 

"(taseglblocked -> TRAINLEAVEtaseglsigl)" |j|wl\lam++ process+ fl 

(X —y lab (getSegm tb segl free)) 

(X _ —>■ delay (node (process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X _ —>■ delay (node (process+ fl 
(X —^ lab (setSegm tb segl blocked)) 
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(X _ —> TRAINLEAVE tb segl sig2) fO efqi fO efqi " (tbseglblocked -> TRAINLEAVEtbseg 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efq x 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEA¥Etbseglsig2)) 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 
(X str str’ —> strAppend str (strAppend " [ I I ]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero ( 
noTraceBadSignal .nothing .(lab (setSigs sigl green) :: []) 

(tnode (intc .(lab (setSigs sigl green) :: []) .nothing zero 
(tnode (extc .[] .nothing zero 

(tnode (intc .[] .nothing zero (tnode empty))))))) mm’ () 
noTraceBadSignal m .(lab (setSigs sigl green) :: lab (setSigs sigl red) :: 1) 

(tnode (intc .(lab (setSigs sigl green) :: lab (setSigs sigl red) :: l) .m zero 
(tnode (extc .(lab (setSigs sigl red) :: l) .m zero 
(tnode (intc .(lab (setSigs sigl red) :: l) .m zero 
(tnode (extc l .m zero tr )))))))) mm’ () 
noTraceBadSignal m .(lab (setSigs sigl green) 

:: renamelnSystem (Lab (((fmap+ cl±J’c->c (fmap+ inji (fmap+ cl±l'c->c (fmap+ inj 2 
(fmap+ cl±)’c->c (fmap+ cl±l'c->c (process+ fl 
(X —y lab (setSig ta sigl red)) 

(X _ —>• SIGCTL sigl) fO efqx fO efqx " (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X —y lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cttl'c-i 
(X _ —> lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efq x fO efq x " (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efq x fO efq x " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ f 
(fmap+ cl±l'c->c (process+ fl 
(X _ —>■ lab (setSig ta sig2 red)) 

(X —y SIGCTL sig2) fO efq x fO efq x " (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X —y SIGCTL sig2) fO efq x fO efq x " (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW'c-; 

(X —y lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efq x fO efq x " (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X —> SIGCTL sig2) fO efq x fO efq x " (tbsig2green -> SIGCTLsig2) ")) Using 

(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±)0->0 (fmapWi 
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(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji 

(fmap+ cl±)’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ 0l±)0->0 (fmap+ cttl’c 
(X _ —> lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLlseglblocked)" □+ 
(X —y lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLlseglblocked)") Dw 

fmap+ cl±)’c->c (fmap+ cl±l’c->c (process+ fl 
(X —y lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efq! fO efqi " (taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X —)■ SEGCTL segl blocked) fO efqi fO efqi "(taseglblocked -> SEGCTLseglblocked) ") □+ fr 

(process+ fl 

(X _ —>■ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi " (tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>• lab (setSegm tb segl blocked)) 

(X _ —>• SEGCTL segl blocked) fO efqi fO efqi "(tbseglblocked -> SEGCTLseglblocked)")) Using 
(X str str’ —>• strAppend str (strAppend " □ " str’)) , 

(X str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str")"))))))))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —y true) ]||wNam+[ 

(X x —^ true) ] process+ fl 

(X —^ lab (setSig ta sigl red)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm ta segl free)) 

(X —y TRAINENTER ta segl sigl) fO efqi fO efqi "(taseglfree -> TRAINENTERtaseglsigl) "))) 

"(tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |||wl\lam++ process+ fl 
(X _ —)► lab (getSegm tb segl free)) 

(X _ —>■ delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efqi fO efqi 

"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Usinj 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 


a 


o 




o 
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(X str str’ —>■ strAppend str (strAppend " [| |]" str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) 

(tnode (intc .(lab (setSigs sigl green) :: 

renamelnSystem (Lab (((fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 
(fmap+ cl±)’c->c (fmap+ cl±l’c->c (process+ fl 
(X _ —>• lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi " (tasiglred -> SIGCTLsigl)" □ + 
process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l'c-i 

(X —y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi " (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ f 
(X _ —> lab (setSig ta sig2 red)) 

(X _ —» SIGCTL sig2) fO efqi fO efqi " (tasig2red -> SIGCTLsig2)" □ + process+ fl 
(X _ —> lab (setSig ta sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi " (tasig2green -> SIGCTLsig2) ") □+ fmap+ cttJ’c-' 

(X —y lab (setSig tb sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi " (tbsig2red -> SIGCTLsig2)" □ + process+ fl 

(X _ —> lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —» strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —>• strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji (fmap- 
(fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ 0l±l0->0 (fmap+ cl±l’c->c (process+ 
(X _ —)• lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLlseglblockec 
(X _ —>■ lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLlseglblockec 

(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efq x " (taseglfree -> SEGCTLseglf ree)" □+ proce 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLseglblocked) 

(X _ —> lab (setSegm tb segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi "(tbseglfree -> SEGCTLseglf ree)" □+ proce 

(X _ —> lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLseglblocked) 
(X str str’ —>■ strAppend str (strAppend " □ " str’)) , 
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(X str —> strAppend "fmap (" (strAppend str ")")) , 

(X str strAppend "fmap (" (strAppend str")''))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —^ lab (setSig ta sigl red)) 

(X _ —>• delay (node (process+ fl 

(X —y lab (setSegm ta segl free)) 

(X —y TRAINENTER ta segl sigl) fO efqi fO efqi 

"(taseglfree -> TRAINENTERtaseglsigl) "))) fO efqi fO efqi 

"(tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |||wl\lam++ process+ fl 
(X _ —>■ lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —>• delay (node (process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —>• TRAINLEAVE tb segl sig2) fO efqi fO efqi " (tbseglblocked -> TRAINLEAVEtbseglsig2)' 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Usinj 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>• strAppend str (strAppend " [| |]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —► strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero 

(tnode (extc .(renamelnSystem (Lab (((fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 5 
(X —y lab (setSig ta sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi "(tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X _ —>■ lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±)’c->c (proa 

(X —y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi "(tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X _ —>■ lab (setSig tb sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ fmap+ ct 

(X _ —> lab (setSig ta sig2 red)) 

(X —> SIGCTL sig2) fO efqi fO efqi "(tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X _ —> lab (setSig ta sig2 green)) 

(X _ —>• SIGCTL sig2) fO efqi fO efqi " (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±J'c->c (proce 
(X —y lab (setSig tb sig2 red)) 
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(X —y SIGCTL sig2) fO efqi fO efqi " (tbsig2red -> SIGCTLsig2)" □+ processT fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efq x fO efq x " (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str ’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 01±)0->0 (fmapWi 
(X str —» strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inji 

(fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ 0l±)0->0 (fmap+ cl±l 
(X —y lab (getSegm ta segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLlseglblockec 

(X —y lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efq x fO efq x " (tbseglblocked -> SEGCTLlseglblockec 

(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efq x fO efq x " (taseglfree -> SEGCTLseglf ree)" □+ proce 

(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x "(taseglblocked -> SEGCTLseglblocked) 
(X _ —>■ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efq x fO efq x " (tbseglfree -> SEGCTLseglf ree)" □+ proce 
(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x "(tbseglblocked -> SEGCTLseglblocked) 
(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X str —* strAppend "fmap (" (strAppend sir")"))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 
(X _ —)• lab (setSig ta sigl red)) 

(X —y delay (node (process+ fl 

(X _ —>■ lab (setSegm ta segl free)) 

(X _ —> TRAINENTER ta segl sigl) fO efq x fO efq x 

"(taseglfree -> TRAINENTERtaseglsigl) "))) fO efq x fO efq x 

" (tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |||wl\lam++ process+ 

(X —y lab (getSegm tb segl free)) 

(X _ —> delay (node (process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X _ —> delay (node (process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efq x fO efq x 

"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq x fO efqi 
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" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Usinj 
(A str str’ —>• strAppend str (strAppend " III " str’)) , 

(A a str —> strAppend "fmap (" (strAppend str ")")) , 

(A a str —>• strAppend "fmap (" (strAppend str ")")) Using 

(A str str’ —>■ strAppend str (strAppend " [| |]" str’)) , 

(A a str —>• strAppend "fmap (" (strAppend str ")")) , 

(A a str —► strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero 

(tnode (intc .(renamelnSystem (Lab (((fmap+ cl±l’c->c (fmap+ inj! (fmap+ cl±J’c->c (fmap+ inj 2 
(A _ —)■ lab (setSig ta sigl red)) 

(A —)■ SIGCTL sigl) fO efqi fO efqi "(tasiglred -> SIGCTLsigl)" □+ process+ fl 

(A _ —>■ lab (setSig ta sigl green)) 

(A _ —> SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±)’c->c (proa 
(A _ —>■ lab (setSig tb sigl red)) 

(A _ —> SIGCTL sigl) fO efqi fO efqi "(tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(A _ —>• lab (setSig tb sigl green)) 

(A —> SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ 

fmap+ d±l'c->c (fmap+ cl±l'c->c (process+ fl 
(A _ —y lab (setSig ta sig2 red)) 

(A _ —> SIGCTL sig2) fO efqi fO efqi "(tasig2red -> SIGCTLsig2)" □+ process+ fl 
(A _ —>■ lab (setSig ta sig2 green)) 

(A —> SIGCTL sig2) fO efqi fO efqi " (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±)'c->c (proa 

(A _ —> lab (setSig tb sig2 red)) 

(A _ —> SIGCTL sig2) fO efqi fO efqi "(tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(A _ —>• lab (setSig tb sig2 green)) 

(A _ —>• SIGCTL sig2) fO efqi fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 
(A str str’ —>■ strAppend str (strAppend " III " str’)) , 

(A a str —>• strAppend "fmap (" (strAppend str ")")) , 

(A a str —> strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 01±)0->0 (fmapWithName- 
(A str —>• strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji (fmap+ ctd'c-' 
(A _ —>■ lab (getSegm ta segl blocked)) 

(A —> SEGCTL1 segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLlseglblocked)" □+ 

(A _ —>■ lab (getSegm tb segl blocked)) 

(A _ —>• SEGCTL1 segl blocked) fO efqi fO efqi "(tbseglblocked -> SEGCTLlseglblocked)") Dw 
(A _ —>■ lab (setSegm ta segl free)) 

(A _ —>• SEGCTL segl free) fO efqi fO efqi "(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(A _ —> lab (setSegm ta segl blocked)) 

(A —>• SEGCTL segl blocked) fO efqi fO efqi "(taseglblocked -> SEGCTLseglblocked) ") □+ fr 

(A _ —> lab (setSegm tb segl free)) 

(A _ —>■ SEGCTL segl free) fO efqi fO efqi "(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(A _ —>■ lab (setSegm tb segl blocked)) 
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(X —y SEGCTL segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLseglblocked) 

(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend sir")"))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —* true) ]||wl\lam+[ 

(X x —> true) ] process+ fl 

(X —y lab (setSig ta sigl red)) 

(X —y delay (node (process+ fl 

(X _ —^ lab (setSegm ta segl free)) 

(X —y TRAINENTER ta segl sigl) fO efq x fO efq x "(taseglfree -> TRAINENTERtasegls: 

(X —y lab (getSegm tb segl free)) 

(X _ —> delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> delay (node (process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X — y TRAINLEAVE tb segl sig2) fO efq x fO efq x "(tbseglblocked -> TRAINLEAVEtbseg 

" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efq x fO efq 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) 
(X str str’ —» strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —► strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero ( 

noTraceBadSignal m .(lab (setSigs sigl green) :: 4) 

(tnode (intc .(lab (setSigs sigl green) :: 4) zero 

(tnode (extc 4 .m zero 

(tnode (intc .4 .m zero 

(tnode (intc .4 -m o mm) mm’ll’ 

noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ inj x (fmap+ cl±)’c->c (fmap+ injo (fma 
(X —y lab (setSig ta sigl red)) 

(X _ — > SIGCTL sigl) fO efqi fO efq x " (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —> lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cttl'c-' 
(X —^ lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x " (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —> lab (setSig tb sigl green)) 

(X —y SIGCTL sigl) fO efq x fO efq x " (tbsiglgreen -> SIGCTLsigl) ")))))) |||wNam++ f 


o 
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(X _ —> lab (setSig ta sig2 red)) 

(X _ —» SIGCTL sig2) fO efqi fO efqi "(tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X —y lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efq! fO efq! " (tasig2green -> SIGCTLsig2) ") □ + fmap+ cl±)'c->c (proa 
(X —y lab (setSig tb sig2 red)) 

(X _ —>■ SIGCTL sig2) fO efqi fO efqi "(tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X —y lab (setSig tb sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 

(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±J0->0 (fmapWithName- 
(X str —> strAppend "fmap (" (strAppend str ")")) inji 
(fmap+ cl±)’c->c (fmap+ inji (fmap+ cl±)’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 
(fmap+ 01±l0->0 (fmap+ cl±)’c->c (process+ fl 

(X —y lab (getSegm ta segl blocked)) 

(X —> SEGCTL1 segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 
(X _ —> lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi " (tbseglblocked -> SEGCTLlseglblocked)") Dw 

(X —y lab (setSegm ta segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi "(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X _ —>■ lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi "(taseglblocked -> SEGCTLseglblocked) ") □+ fr 
(X —^ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi "(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X —y lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi "(tbseglblocked -> SEGCTLseglblocked)")) Using 

(X str str’ —>• strAppend str (strAppend " □ " str’)) , 

(X str —>• strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str")"))))))))))) Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wl\lam+[ 

(X x —y true) ] process+ fl 
(X _ —)• lab (setSig ta sigl red)) 

(X _ —> delay (node (process+ fl 
(X _ —>• lab (setSegm ta segl free)) 

(X _ —> TRAINENTER ta segl sigl) fO efqi fO efqi 
"(taseglfree -> TRAINENTERtaseglsigl) "))) fO efqi fO efqi 

"(tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |j|wl\lam++ processT fl 
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(X —y lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X —} lab (setSegm tb segl blocked)) 

(X —} TRAINLEAVE tb segl sig2) fO efqi fO efqi 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efq x 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))) 
(X str str’ —} strAppend str (strAppend " III " str ’)) , 

(X a str-t strAppend "fmap (" (strAppend str ")")) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —} strAppend str (strAppend " [| |]" str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) (nth [] _))) .(lab (setSigs sigl green) 

(tnode (intc .(lab (setSigs sigl green) :: []) .(just (PT (((fmap+ cl±l’c->c (fmap+ inji (fmaf 
(X —} lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqx fO efqi "(tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X —} lab (setSig ta sigl green)) 

(X —} SIGCTL sigl) fO efqi fO efqi " (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l'c-i 

(X _ —> lab (setSig tb sigl red)) 

(X _ —} SIGCTL sigl) fO efqi fO efqi " (tbsiglred -> SIGCTLsigl)" □ + process+ fl 
(X —y lab (setSig tb sigl green)) 

(X —} SIGCTL sigl) fO efqi fO efqi " (tbsiglgreen -> SIGCTLsigl) ")))))) |(|wl\lam++ f 

(X _ —} lab (setSig ta sig2 red)) 

(X —} SIGCTL sig2) fO efqi fO efqi " (tasig2red -> SIGCTLsig2)" □ + process+ fl 

(X —} lab (setSig ta sig2 green)) 

(X —} SIGCTL sig2) fO efqi fO efqi " (tasig2green -> SIGCTLsig2) ") □+ fmap+ ctH’c-0 

(X —} lab (setSig tb sig2 red)) 

(X —} SIGCTL sig2) fO efqi fO efqi " (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X _ —>■ lab (setSig tb sig2 green)) 

(X —} SIGCTL sig2) fO efqi fO efqi " (tbsig2green -> SIGCTLsig2) ")) Using 

(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —} strAppend "fmap (" (strAppend str ")")) inji 

(fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l’c->c 
(fmap+ inj 2 (fmap+ 0l±)0->0 (fmap+ ctt)’c->c (process+ fl 
(X _ —> lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi " (taseglblocked -> SEGCTLlseglblockec 
(X —y lab (getSegm tb segl blocked)) 
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(X _ —>■ SEGCTL1 segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLlseglblocked) ") □wl\lam+ fmap+ ct±J’c->c (fmap+ d±)’c->c (proc 
(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi "(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —>■ SEGCTL segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 
(X —y lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi " (tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X _ —>■ lab (setSegm tb segl blocked)) 

(X —)■ SEGCTL segl blocked) fO efqi fO efqi "(tbseglblocked -> SEGCTLseglblocked)")) Using 

(X str str’ —} strAppend str (strAppend " □ " str ’)) , 

(X str —> strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str ")"))))))))))) Using 
(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) [ 

(X x —y true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (setSig ta sigl red)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSegm ta segl free)) 

(X _ —> TRAINENTER ta segl sigl) fO efqi fO efqi 
"(taseglfree -> TRAINENTERtaseglsigl) "))) fO efqi fO efqi 

"(tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |||wl\lam++ processT fl 

(X —y lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X _ —>• lab (setSig tb sig2 green)) 

(X _ —>■ delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efqi fO efqi 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —} strAppend str (strAppend " [| |]" str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) (nth [] _))) zero 

(tnode (extc .[] .(just (PT (((fmap+ cl±l’c->c (fmap+ inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap+ cl±l 
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(X _ —> lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efq x 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 

(X —y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efq x 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl) ")))))) |||wNam++ fmap+ d±l’c->c (fmap+ cl±)'c->c (pi 

(X —y lab (setSig ta sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efq x 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ ctfcl'c->c (process+ fl 
(X _ —y lab (setSig tb sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efq x 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str ’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±l0->0 (fmapWi 
(X str —>• strAppend "fmap (" (strAppend str ")")) inj x (fmap+ cl±l’c->c (fmap+ inj x (fmap- 
(X _ —> lab (getSegm ta segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efq x fO efq x 

" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 

(X —y lab (getSegm tb segl blocked)) 

(X _ —y SEGCTL1 segl blocked) fO efq x fO efq x 
" (tbseglblocked -> SEGCTLlseglblocked)") DwNam+ fmap+ cl±)'c->c (fmap+ cW'c- 
(X _ —>■ lab (setSegm ta segl free)) 

(X _ —y SEGCTL segl free) fO efq x fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x 
"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 
(X —y lab (setSegm tb segl free)) 
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(X _ —* SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
"(tbseglblocked -> SEGCTLseglblocked) ")) Using 
(X str str’ —>■ strAppend str (strAppend " □ " str’)) , 

(X str —>• strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str")"))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —y true) ]||wl\lam+[ 

(X x —y true) ] process+ fl 
(X _ —>■ lab (setSig ta sigl red)) 

(X _ —> delay (node (process+ fl 

(X —y lab (setSegm ta segl free)) 

(X —> TRAINENTER ta segl sigl) fO efq! fO efqi 

"(taseglfree -> TRAINENTERtaseglsigl) "))) fO efqi fO efqi 

"(tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |||wl\lam++ process+ fl 

(X —y la b (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efq! fO efq x 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (nth [] _))) zero 

(tnode (intc .[] .(just (PT (((fmap+ cl±)’c->c (fmap+ inji (fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ cl±)’ 
(X _ —)• lab (setSig ta sigl red)) 

(X _ —>• SIGCTL sigl) fO efqi fO efqi 
"(tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —> lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±)’c->c (process+ fl 
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(X _ —> lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqx 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —¥ lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl) ")))))) |||wNam++ fmap+ d±J’c->c (fmap+ cttl'c->c (pi 

(X —y lab (setSig ta sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efq x 

" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±)’c->c (process+ fl 

(X —y lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efq x 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —* strAppend str (strAppend " III " str’)) , 

(X a str —» strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inji (fmap- 

(X —y lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 
(X _ —>• lab (getSegm tb segl blocked)) 

(X —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ d±J'c->c (fmap+ ctfcl’c- 
(X _ —)■ lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqx fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —y SEGCTL segl blocked) fO efqi fO efqi 
"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X _ —y SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —y SEGCTL segl blocked) fO efq! fO efqx 
"(tbseglblocked -> SEGCTLseglblocked)")) Using 
(X str str’ —> strAppend str (strAppend " □ " str’)) , 


o 


-o 




879 


A. Agda Code 

o-o 


(X str —y strAppend "fmap (" (strAppend str ")")) , 

(X str—y strAppend "fmap (" (strAppend str")"))))))))))) Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str—* strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")"))) [ 

(X x —y true) ]||wNam+[ 

(X x —y true) ] process+ fl 

(X —y lab (setSig ta sigl red)) 

(X —y delay (node (process+ fl 

(X — y lab (setSegm ta segl free)) 

(X _ —y TRAINENTER ta segl sigl) fO efqi fO efqi 
"(taseglfree -> TRAINENTERtaseglsigl) "))) fO efqi fO efqi 

"(tasiglred -> (taseglfree -> TRAINENTERtaseglsigl))" |||wl\lam++ process+ fl 
(X _ —y lab (getSegm tb segl free)) 

(X _ —y delay (node (process+ fl 
(X _ —y lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X _ —y lab (setSegm tb segl blocked)) 

(X — y TRAINLEAVE tb segl sig2) fO efqi fO efq x 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str—y strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —y strAppend str (strAppend " [ I I ]" str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")"))) (nth [] _))) zero 

(tnode (terc ())))))))) mm’ll’ 
noTraceBadSignal m .(lab (setSigs sigl green) :: 4) 

(tnode (intc .(lab (setSigs sigl green) :: 4) .m zero 

(tnode (extc 4 .m zero 

(tnode (intc .4 .m (sue ()) tr)))))) mm’ll’ 

noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ ct+J’c 
(X _ —y lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
"(tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —y lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cW'c->c (process+ fl 
(X _ —y lab (setSig tb sigl red)) 
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(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqx fO efqx 

" (tbsiglgreen -> SIGCTLsigl) ")))))) |||wl\lam++ fmap+ cl±l’c->c (fmap+ d±l'c->c (pi 

(X —y lab (setSig ta sig2 red)) 

(X —y SIGCTL sig2) fO efqx fO efqx 

" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —^ lab (setSig ta sig2 green)) 

(X _ SIGCTL sig2) fO efqx fO efqx 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW’c->c (process+ fl 

(X —y lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqx fO efqx 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqx fO efqx 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) |j|wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) injx (fmap+ cttl’c->c (fmap+ injx (fmap- 
(X _ —> lab (setSegm ta segl free)) 

(X _ —>• SEGCTL segl free) fO efq x fO efqx 
"(taseglfree -> SEGCTLseglf ree)" □ + process+ fl 
(X _ —>• lab (setSegm ta segl blocked)) 

(X —> SEGCTL segl blocked) fO efqx fO efqx 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±J’c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqx fO efqx 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqx fO efqx 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —^ lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efqx fO efqx 

"(taseglblocked -> TRAINLEAVEtaseglsigl)" |||wNam++ process+ fl 
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(X _ —> lab (getSegm tb segl free)) 

(X _ —> delay (node (process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X —^ delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —> TRAINLEAVE tb segl sig2) fO efqi fO efqi 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efq x fO efq x 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —» strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 
(X str str’ —* strAppend str (strAppend " [| |]" str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (nth [] t))) .(lab (setSigs sigl green) :: []) 
(tnode (intc .(lab (setSigs sigl green) :: []) .(just (PT (((fmap+ cl±l’c->c (fmap+ inji (fmap+ ctfcJ'c- 
(X _ —>• lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efq! fO efq! 

"(tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±)’c->c (process+ fl 
(X _ —)■ lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl) ")))))) |||wNam++ fmap+ cW'c->c (fmap+ cl±l’c->c (process+ 

(X —^ lab (setSig ta sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±)'c->c (process+ fl 
(X _ —)■ lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 
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(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) injx (fmap+ cl±l’c->c (fmap+ inji (fmap- 
(X _ lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>• lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l’c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X _ —>■ SEGCTL segl free) fO efqi fO efqi 
" (tbseglfree -> SEGCTLseglfree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X _ —>■ lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efqi fO efqi 

"(taseglblocked -> TRAINLEAVEtaseglsigl)" |||wl\lam++ process+ fl 

(X —y lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X _ —>• lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X _ —>• lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efq x fO efqi 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efq x 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))) 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —)• strAppend "fmap (" (strAppend str ")"))) (nth [] ())) zero 

(tnode (extc .[] .(just (PT (((fmap+ cl±J’c->c (fmap+ inji (fmap+ cl±l’c->c (fmap+ inj 2 (fn 
(X _ —> lab (setSig ta sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 
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" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efq! fO efq! 

" (tbsiglgreen -> SIGCTLsigl) ")))))) |||wNam++ fmap+ cl±)'c->c (fmap+ ct±J’c->c (process+ 
(X _ —>■ lab (setSig ta sig2 red)) 

(X _ —>• SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —>• lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 

" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±)0->0 (fmapWithName- 
(X str—} strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji (fmap+ ctfcl'c-i 

(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)'c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —} lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 
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(X x —> true) ]||wNam+[ 

(X x —>■ true) ] process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X_ —y TRAINLEAVE ta segl sigl) fO efqi fO efqi 

" (taseglblocked -> TRAINLEAVEtaseglsigl)" ||jwNam++ process+ fl 

(X —y lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efqi fO efqi 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq! fO efq x 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))) 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [ I I ] " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (nth [] t))) zero 

(tnode (terc t)))))) mm’ () 

noTraceBadSignal m .(renamelnSystem (Lab (((fmap+ cl±l'c->c (fmap+ cl±)'c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x 
" (tasiglred -> SIGCTLsigl)" □ + process+ fl 
(X _ —>• lab (setSig ta sigl green)) 

(X —>• SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ c(±J’c->c (fmap+ cW’c->c (proce 

(X —y lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±)'c->c (process+ fl 
(X —y lab (setSig tb sig2 red)) 
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(X _ —>■ SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±)0->0 (fmapWithName- 
(X str —>• strAppend "fmap (" (strAppend str ")")) inj! (fmap+ cl±l’c->c (fmap+ inji (fmap+ cW'c-i 
(X _ —>■ lab (setSegm ta segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq! fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)'c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>• lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —>• delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> TRAIN LEAVE ta segl sigl) fO efq x fO efqi 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 

" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))" |||wNam++ process+ fl 
(X _ —>■ lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —>• delay (node (process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —>• TRAINLEAVE tb segl sig2) fO efqi fO efqi 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
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(X str str’ — y strAppend str (strAppend " III " str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —y strAppend sir (strAppend " [| |]" str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: 4) 

(tnode (intc .(renamelnSystem (Lab (((fmap+ cl±)’c->c (fmap+ cl±l'c->c (process+ fl 
(X _ —y lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X — y lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 

(X — y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±J'c->c (fmap+ cl±J’c->c (proce 

(X — y lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X — y lab (setSig ta sig2 green)) 

(X _ — y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —* lab (setSig tb sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str-t strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —} strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inji (fmap- 

(X —y lab (setSegm ta segl free)) 

(X _ —y SEGCTL segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW’c->c (process+ fl 


o 


-o 




887 


A. Agda Code 

o-o 


(X _ — lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —* true) ]|jwNam+[ 

(X x —> true) ] process+ fl 

(X _ —>■ lab (setSig ta sigl green)) 

(X _ —>■ delay (node (process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X —y TRAIN LEAVE ta segl sigl) fO efqi fO efqi 

" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 

" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))" |||wNam++ process+ fl 
(X _ —)► lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X _ —>■ lab (setSig tb sig2 green)) 

(X _ —> delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efqi fO efq x 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>• strAppend str (strAppend " [| |]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: li) .m zero 

(tnode (extc 4 .m (sue ()) tr)))) mm’ U’ 
noTraceBadSignal m l 
(tnode (intc .1 .m zero 
(tnode (intc .1 .m 0 tr)))) mm’ll’ 

noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ cl±l’c->c (process+ fl 
(X _ —>• lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
"(tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —y lab (setSig ta sigl green)) 
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(X —y SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±)'c->c (fmap+ cl±l’c->c (proce 
(X _ —> lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±)’c->c (process+ fl 
(X _ —y lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —» strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji (fmap- 
(X _ —> lab (setSegm ta segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

" (taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW’c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

" (tbseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efq x 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 
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(X _ —> lab (setSig ta sigl green)) 

(X _ —> delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ — TRAINLEAVE ta segl sigl) fO efq x fO efq x 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 

" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))" |||wNam++ process+ fl 

(X —y lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> delay (node (process+ fl 
(X _ —>• lab (setSegm tb segl blocked)) 

(X —> TRAINLEAVE tb segl sig2) fO efq x fO efq x 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq x fO efq x 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efq x fO efq x 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)))" Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [ | | ]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (nth [] t))) .[] 

(tnode (intc .[] .(just (PT (((fmap+ cl±l'c->c (fmap+ cl±J’c->c (processT fl 

(X —y lab (setSig ta sigl red)) 

(X —y SIGCTL sigl) fO efq x fO efq x 

" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —>■ SIGCTL sigl) fO efq x fO efq x 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efq x fO efq x 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —)■ lab (setSig tb sigl green)) 

(X —y SIGCTL sigl) fO efq x fO efq x 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ cl±)’c->c (fmap+ cl±)’c->c (process+ fl 
(X _ —>■ lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efq x fO efq x 
"(tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efq x fO efq x 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —>■ lab (setSig tb sig2 red)) 
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(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —* strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±l0->0 (fmapWi 
(X str —>• strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inji (fmap- 
(X _ —>■ lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

" (taseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqx fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW'c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglfree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X _ —»• lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efqx fO efqi 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 

" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))" |||wl\lam++ proce: 

(X —y lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSegm tb segl blocked)) 

(X —> TRAINLEAVE tb segl sig2) fO efqi fO efqi 

"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efq x 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2) )"))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))) 
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(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>• strAppend str (strAppend " [| |]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —» strAppend "fmap (" (strAppend str ")"))) (nth [] t ))) zero 

(tnode (terc t)))) mm’ () 
noTraceBadSignal .nothing .[] 

(tnode (into .[] .nothing (sue zero) 

(tnode empty))) mm’ () 

noTraceBadSignal .nothing .(lab (setSigs sig2 green) :: []) 

(tnode (intc .(lab (setSigs sig2 green) :: []) .nothing (sue zero) 

(tnode (extc .[] .nothing zero 
(tnode empty))))) mm’ () 

noTraceBadSignal m .(lab (setSigs sig2 green) :: renamelnSystem (Lab (((fmap+ cl±l’c->c (fmap+ ct+J’c- 

(X —y lab (setSig ta sigl red)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

"(tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efq! fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±l’c->c (process+ fl 
(X _ —* lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efq! 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cW'c->c (fmap+ inj 2 (fmap+ cl±l’c->c (f 

(X —^ lab (setSig ta sig2 red)) 

(X _ SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±l'c->c (process+ fl 
(X _ —)■ lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 

" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 
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(X a str —} strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) injx (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 

(X —y lab (setSegm ta segl free)) 

(X _ —} SEGCTL segl free) fO efq x fO efq x 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —} lab (setSegm ta segl blocked)) 

(X _ —} SEGCTL segl blocked) fO efq x fO efq x 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —>• lab (setSegm tb segl free)) 

(X —} SEGCTL segl free) fO efq x fO efq x 

" (tbseglfree -> SEGCTLseglfree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —} SEGCTL segl blocked) fO efq x fO efq x 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wl\lam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ -i delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 
(X _ —)• lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efq x fO efq x 
"(tbseglblocked -> TRAINLEAVEtbseglsig2)" Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str-t strAppend "fmap (" (strAppend str ")")) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —} strAppend str (strAppend " [||] " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —)■ strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: /) 

(tnode (intc .(lab (setSigs sig2 green) :: renamelnSystem (Lab (((fmap+ cl±J’c->c (fmap+ c 
(X _ —} lab (setSig ta sigl red)) 

(X _ —} SIGCTL sigl) fO efq x fO efq x 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
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(X _ —> lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl) ") □+ fmap+ cl±)'c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efq! fO efq! 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±J'c->c (fmap+ inj 2 (fmap+ ctfcl'c->c (f 
(X _ —)■ lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig ta sig2 green)) 

(X _ —^ SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±)'c->c (process+ fl 

(X —y lab (setSig tb sig2 red)) 

(X —> SIGCTL sig2) fO efqi fO efqi 

" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str -> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±)0->0 (fmapWithName- 
(X str —>■ strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap+ cttl’cO 

(X —y lab (setSegm ta segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)'c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wl\lam+[ 
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(X x —>• true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efqi fO efqi 
" (taseglblocked -> TEAINLEAVEtaseglsigl) "))) fO efqi fO efq x 
" (tasiglgreen -> (taseglblocked -> TEAINLEAVEtaseglsigl)) "))) fO efq! fO efq! 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TEAINLEAVEtaseglsigl))) 

(X —y lab (setSegm tb segl blocked)) 

(X —> TRAINLEAVE tb segl sig2) fO efqi fO efqi 

"(tbseglblocked -> TEAINLEAVEtbseglsig2)" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —► strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m (sue 2 

(tnode (extc .(renamelnSystem (Lab (((fmap+ cl±)'c->c (fmap+ cl±l'c->c (process+ fl 
(X _ —> lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 

(X —y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —»■ lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ cli 

(X —y lab (setSig ta sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —y lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
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(X _ —> lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 01±)0->0 (fmapWithName- 
(X str —>• strAppend "fmap (" (strAppend str ")")) inj! (fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ ctd'c-' 

(X —y lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efq! fO efqi 
"(taseglfree -> SEGCTLseglf ree) " □+ process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X —> SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree) " □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str 1 )) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —y true) ]||wNam+[ 

(X x —^ true) ] process+ fl 

(X —^ lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —> delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> TRAIN LEAVE ta segl sigl) fO efq x fO efqi 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNai 

(X —y lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efqi fO efqi 

"(tbseglblocked -> TRAINLEAVEtbseglsig2) " Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 
(X str str’ —>• strAppend str (strAppend " [| |]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 
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(X a str-y strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero 
(tnode (extc l .m 0 tr)))))) mm’ IV 
noTraceBadSignal .nothing .(lab (setSigs sig2 green) :: []) 

(tnode (into .(lab (setSigs sig2 green) :: []) .nothing (sue zero) 

(tnode (extc .[] .nothing zero 
(tnode (intc .[] .nothing zero 
(tnode empty))))))) mm’ () 

noTraceBadSignal m .(lab (setSigs sig2 green) :: lab (setSigs sig2 red) :: l) 

(tnode (intc .(lab (setSigs sig2 green) :: lab (setSigs sig2 red) :: l ) .m (sue zero) 

(tnode (extc .(lab (setSigs sig2 red) :: l) .m zero 

(tnode (intc .(lab (setSigs sig2 red) :: l) .m zero 

(tnode (extc l .m zero fr)))))))) mm’ () 

noTraceBadSignal m .(lab (setSigs sig2 green) :: renamelnSystem (Lab (((fmap+ cl±l'c->c (fmaf 
(X _ —y lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l'c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efq x 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±J’c->c (fmap+ inj 2 (fmap+ ct± 

(X —y lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X — y lab (setSig ta sig2 green)) 

(X — y SIGCTL sig2) fO efqi fO efqi 

" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW’c->c (process+ fl 

(X —y lab (setSig tb sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±l0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap- 
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(X _ —> lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efq x 
" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 

(X —y lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ d±)'c->c (fmap+ cl±l'c->c (proc 

(X —y lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efq! fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X —> SEGCTL segl blocked) fO efqi fO efqi 

"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW’c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —> SEGCTL segl blocked) fO efqi fO efqi 

"(tbseglblocked -> SEGCTLseglblocked) ")) Using 
(X str str’ —>• strAppend str (strAppend " □ " str’)) , 

(X str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X str strAppend "fmap (" (strAppend str")''))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —» true) ]||wl\lam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X _ —>• delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —>• delay (node (process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efqi fO efqi 

"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNai 

(X —y lab (setSig tb sig2 red)) 

(X _ —> delay (node (process+ fl 
(X _ —>• lab (setSegm tb segl free)) 

(X _ —> TRAINENTER tb segl sig2) fO efqi fO efqi 
"(tbseglfree -> TRAINENTERtbseglsig2) "))) fO efq : fO efqi 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
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(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —» strAppend sir (strAppend " [| |]" str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend sir ")"))) (projSubset (nth [] _))) :: i) 

(tnode (intc .(lab (setSigs sig2 green) :: renamelnSystem (Lab (((fmap+ cl±l’c->c (fmap+ c 
(X _ —} lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l'c->c (process+ fl 

(X —y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —} lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±J'c->c (fmap+ inj 2 (fmap+ ct+ 

(X —y lab (setSig ta sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —* lab (setSig tb sig2 red)) 

(X —} SIGCTL sig2) fO efqi fO efqi 

" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —} lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str-t strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±l0->0 (fmapWi 
(X str —} strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap- 

(X —y lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 
(X _ —} lab (getSegm tb segl blocked)) 

(X —} SEGCTL1 segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ d±)’c->c (fmap+ cW'c- 
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(X _ —y lab (setSegm ta segl free)) 

(X _ —y SEGCTL segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X _ —y SEGCTL segl free) fO efq! fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

"(tbseglblocked -> SEGCTLseglblocked) ")) Using 
(X str str’ —>■ strAppend str (strAppend " □ " str’)) , 

(X str —y strAppend "fmap (" (strAppend str ")")) , 

(X str —>■ strAppend "fmap (" (strAppend sir")"))))))))))) Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")"))) [ 

(X x —y true) ]||wNam+[ 

(X x —y true) ] process+ fl 

(X _ —> lab (getSegm ta segl free)) 

(X _ —y delay (node (process+ fl 
(X _ —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y TRAIN LEAVE ta segl sigl) fO efqi fO efqi 

"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNa 

(X —y lab (setSig tb sig2 red)) 

(X _ —>■ delay (node (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X _ —> TRAINENTER tb segl sig2) fO efqi fO efqi 
"(tbseglfree -> TRAINENTERtbseglsig2) "))) fO efqi fO efqi 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —y strAppend str (strAppend " [| |]" str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str-y strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m (sue zero) 


o- 


o 
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(tnode (extc .(renamelnSystem (Lab (((fmap+ cl±)’c->c (fmap+ cl±)'c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl) 11 □+ process+ fl 
(X _ —>• lab (setSig ta sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 

(X —} lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ ctt 

(X —^ lab (setSig ta sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efq x 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±)’c->c (process+ fl 

(X —y lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str —} strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 
(X _ —)• lab (getSegm ta segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 

(X —y lab (getSegm tb segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ cl±l’c->c (fmap+ cttl’c- 

(X —y lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —> lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efqi 

"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW’c->c (process+ fl 


o 
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(X _ —> lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLseglblocked) ")) Using 
(X str str’ —>• strAppend str (strAppend " □ " str’)) , 

(X str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str")"))))))))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —* true) ]||wl\lam+[ 

(X x —> true) ] process+ fl 

(X _ —>• lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X _ —>• lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efqi fO efqi 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNa 

(X —^ lab (setSig tb sig2 red)) 

(X —^ delay (node (process+ fl 

(X _ —>• lab (setSegm tb segl free)) 

(X —> TRAINENTER tb segl sig2) fO efqi fO efqi 

"(tbseglfree -> TRAINENTERtbseglsig2) "))) fO efqi fO efq x 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>■ strAppend str (strAppend " [| |]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —► strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero 

(tnode (intc .(renamelnSystem (Lab (((fmap+ cl±l'c->c (fmap+ cl±l'c->c (process+ fl 
(X _ —> lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
"(tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 


a 
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" (tasiglgreen -> SIGCTLsigl) ") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x 
" (tbsiglred -> SIGCTLsigl) 11 □+ process+ fl 

(X —^ lab (setSig tb sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ cli 

(X —y lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqx fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW’c->c (process+ fl 

(X —^ lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>• lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —» strAppend str (strAppend " III " str ’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) |j|wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 
(X _ —> lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 

(X —y lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ d±)'c->c (fmap+ cttl’c- 
(X _ —)■ lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efqi 
"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 
(X _ —> lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efq x 
"(tbseglblocked -> SEGCTLseglblocked)")) Using 


o 
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(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str —>• strAppend "fmap (" (strAppend str ")")) , 

(X str—> strAppend "fmap (" (strAppend str ") "))))))))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —* true) ]|jwNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —> delay (node (process+ fl 
(X _ —^ lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNa 
(X _ —> lab (setSig tb sig2 red)) 

(X —y delay (node (process+ fl 

(X —^ lab (setSegm tb segl free)) 

(X —> TRAINENTER tb segl sig2) fO efq x fO efq x 

" (tbseglf ree -> TRAINENTERtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>• strAppend str (strAppend " [ | | ]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —► strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: l) .m zero 

(tnode (extc l .m (sue ()) tr)))))))) mm’ IV 
noTraceBadSignal m .(lab (setSigs sig2 green) :: / x ) 

(tnode (intc .(lab (setSigs sig2 green) :: / x ) .m (sue zero) 

(tnode (extc Z x .m zero 
(tnode (intc J x .m zero 
(tnode (intc ,/ x .m 0 tr)))))))) mm’ IV 
noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efq x fO efq x 
"(tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efq x fO efq x 


a 
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" (tasiglgreen -> SIGCTLsigl) ") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efq x 
" (tbsiglred -> SIGCTLsigl) 11 □+ process+ fl 

(X —^ lab (setSig tb sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ cli 

(X —y lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqx fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW’c->c (process+ fl 

(X —^ lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>• lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —» strAppend str (strAppend " III " str ’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) |j|wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 
(X _ —> lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 

(X —y lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ d±)'c->c (fmap+ cttl’c- 
(X _ —)■ lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efqi 
"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 
(X _ —> lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x 
"(tbseglblocked -> SEGCTLseglblocked)")) Using 


o 
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(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str ^ strAppend "fmap (" (strAppend str ")")) , 

(X str—> strAppend "fmap (" (strAppend str ")"))))))))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str 1 )) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) [ 

(X x —* true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —> delay (node (process+ fl 
(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNai 
(X _ —> lab (setSig tb sig2 red)) 

(X —y delay (node (process+ fl 

(X —^ lab (setSegm tb segl free)) 

(X —> TRAINENTER tb segl sig2) fO efq x fO efq x 

" (tbseglf ree -> TRAINENTERtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>• strAppend str (strAppend " [ | | ]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (nth [] t))) .(lab (setSigs sig2 green) :: []) 

(tnode (intc .(lab (setSigs sig2 green) :: []) .(just (PT (((fmap+ cl±l’c->c (fmap+ cl±)’c->c (processH 
(X _ —>■ lab (setSig ta sigl red)) 

(X —> SIGCTL sigl) fO efq x fO efq x 

" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —>■ lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±J'c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X _ —y SIGCTL sigl) fO efq x fO efq x 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ -t SIGCTL sigl) fO efq x fO efq x 


a 
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" (tbsiglgreen -> SIGCTLsigl) ")) |||wNam++ fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ ctt 

(X —y lab (setSig ta sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efq x 
" (tasig2red -> SIGCTLsig2) 11 □+ process+ fl 

(X —^ lab (setSig ta sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 

(X —^ lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqx fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) |j|wl\lam++ fmap+ 0l±l0->0 (fmapWi 
(X str —>• strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap- 

(X —^ lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLlseglblocked)" □ + process+ fl 
(X _ —> lab (getSegm tb segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ cl±)’c->c (fmap+ ctfcl'c- 

(X —y lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efq x fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efq x 

"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±J’c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efq x 
"(tbseglblocked -> SEGCTLseglblocked)")) Using 
(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str —>• strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str ") "))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 


o 
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(X x —y true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X _ —> lab (getSegm ta segl free)) 

(X —^ delay (node (process+ fl 

(X _ —> lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> TRAIN LEAVE ta segl sigl) fO efq x fO efq x 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNai 
(X _ —>■ lab (setSig tb sig2 red)) 

(X _ —>■ delay (node (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y TRAINENTER tb segl sig2) fO efq x fO efq x 

" (tbseglf ree -> TRAINENTERtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>■ strAppend str (strAppend " [| |]" str’)) , 

(X a str -4- strAppend "fmap (" (strAppend str ")")) , 

(X a str —)■ strAppend "fmap (" (strAppend str ")"))) (nth [] t))) (sue zero) 

(tnode (extc .[] .(just (PT (((fmap+ cl±l’c->c (fmap+ cl±l’c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X —> SIGCTL sigl) fO efq x fO efq x 

" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±)'c->c (process+ fl 
(X _ —>■ lab (setSig tb sigl red)) 

(X —> SIGCTL sigl) fO efq x fO efq x 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —)■ lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ d±)'c->c (fmap+ inj 2 (fmap+ ct±J’c->c (f 
(X _ —> lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efq x fO efq x 
"(tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efq x fO efq x 


a 
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" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2) 11 □ + process+ fl 
(X _ —>• lab (setSig tb sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 

" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str ’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±l0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap- 

(X —y lab (getSegm ta segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 

(X —y lab (getSegm tb segl blocked)) 

(X —y SEGCTL1 segl blocked) fO efqi fO efqi 

" (tbseglblocked -> SEGCTLlseglblocked)") □wl\lam+ fmap+ d±l'c->c (fmap+ cW’c- 
(X _ —> lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efq x 

" (taseglfree -> SEGCTLseglfree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ d±l’c->c (processT fl 

(X —y lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efq x 
"(tbseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —>• lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
"(tbseglblocked -> SEGCTLseglblocked) ")) Using 
(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str —» strAppend "fmap (" (strAppend str ")")) , 

(X str —> strAppend "fmap (" (strAppend str'')"))))))))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str strAppend "fmap (" (strAppend str ")"))) [ 

(X x —» true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X _ —> delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 
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(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNai 

(X —y lab (setSig tb sig2 red)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X _ —> TRAINENTER tb segl sig2) fO efq x fO efq x 
" (tbseglf ree -> TRAINENTERtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —>• strAppend str (strAppend " [| |]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (nth [] ())) zero 

(tnode (intc .[] .(just (PT (((fmap+ cl±l’c->c (fmap+ cl±l’c->c (process+ fl 
(X _ —>• lab (setSig ta sigl red)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —>■ lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±)’c->c (process+ fl 

(X —y lab (setSig tb sigl red)) 

(X —> SIGCTL sigl) fO efq x fO efq x 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efq x fO efq x 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±)’c->c (fmap+ inj 2 (fmap+ ctfcl’c->c (f 
(X _ —>■ lab (setSig ta sig2 red)) 

(X —> SIGCTL sig2) fO efq x fO efq x 

" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efq x fO efq x 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —>• lab (setSig tb sig2 red)) 

(X _ —>• SIGCTL sig2) fO efq x fO efq x 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ -t SIGCTL sig2) fO efq x fO efq x 
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" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —» strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str —>• strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 

(X —y lab (getSegm ta segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efq x fO efq x 
" (taseglblocked -> SEGCTLlseglblocked)" □+ process+ fl 
(X _ —>• lab (getSegm tb segl blocked)) 

(X _ —> SEGCTL1 segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLlseglblocked)") DwNam+ fmap+ cl±l’c->c (fmap+ cW’c- 

(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efq x fO efq x 

" (taseglfree -> SEGCTLseglfree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x 
"(taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW'c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efq x fO efq x 

" (tbseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efq x 

"(tbseglblocked -> SEGCTLseglblocked)")) Using 
(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str —> strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str ") "))))))))))) Using 
(X str str’ —* strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wl\lam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X _ —>■ delay (node (process+ fl 
(X _ —>■ lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)) "))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 
(X —y lab (setSig tb sig2 red)) 
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(X _ —> delay (node (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X _ —> TRAINENTER tb segl sig2) fO efqi fO efqi 
" (tbseglfree -> TRAINENTERtbseglsig2) "))) fO efq! fO efqi 
"(tbsig2red -> (tbseglfree -> TRAINENTERtbseglsig2))" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str—> strAppend "fmap (" (strAppend str ")")) , 

(X a str —» strAppend "fmap (" (strAppend str ")"))) (nth [] t))) zero 

(tnode (terc *)))))))) mm’ () 
noTraceBadSignal m .(lab (setSigs sig2 green) :: 4) 

(tnode (into .(lab (setSigs sig2 green) :: 4) ( suc zero) 

(tnode (extc 4 -m zero 
(tnode (into .4 -vn (suc ()) tr)))))) mm’ U’ 
noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efq! fO efq! 

" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —)■ lab (setSig ta sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±)’c->c (process+ fl 

(X —y lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efq! fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cW’c->c (fmap+ inj 2 (fmap+ cl±l'c->c (f 

(X —^ lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —> lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
"(tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
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(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 01±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 
(X _ —>• lab (setSegm ta segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —} lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l’c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X —> SEGCTL segl free) fO efq x fO efq x 

" (tbseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —} lab (setSegm tb segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efq x 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —* strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) [ 

(X x —» true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X _ —> lab (getSegm ta segl free)) 

(X _ delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —>■ delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 

"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)) "))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efq x fO efq x 

"(tbseglblocked -> TRAINLEAVEtbseglsig2)" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str-t strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —} strAppend "fmap (" (strAppend str ")"))) (nth [] t))) .(lab (setSigs sig2 green) : 

(tnode (intc .(lab (setSigs sig2 green) :: []) .(just (PT (((fmap+ cl±l’c->c (fmap+ cl±l’c->c ( 
(X —y lab (setSig ta sigl red)) 
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(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —>■ lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efq! fO efq! 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ cl±l'c->c (f 
(X _ —>■ lab (setSig ta sig2 red)) 

(X _ —'? SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —>■ SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 
(X _ —> lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig tb sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 

" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 01±)0->0 (fmapWithName- 
(X str —>■ strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ cW'c-; 

(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —^ lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)'c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —> lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 
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(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —» true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X _ —>• lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efqi fO efqi 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)) "))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 

(X —y lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efq x fO efqi 

"(tbseglblocked -> TRAINLEAVEtbseglsig2)" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [| |]" str’)) , 

(X a str —)■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (nth [] t))) (sue zero) 

(tnode (extc .[] .(just (PT (((fmap+ cl±l’c->c (fmap+ cl±l'c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —)• lab (setSig ta sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ cth)'c->c (process+ fl 
(X _ —> lab (setSig tb sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ cLt 

(X —y lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ ctfcl'c->c (process+ fl 
(X —y lab (setSig tb sig2 red)) 
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(X _ —>■ SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")))))) Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |||wNam++ fmap+ 0l±)0->0 (fmapWithName- 
(X str —>• strAppend "fmap (" (strAppend str ")")) inj! (fmap+ cl±l’c->c (fmap+ inj 2 (fmap+ cC'c-i 
(X _ —>■ lab (setSegm ta segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq! fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)'c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X —> SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>• lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) [ 

(X x —» true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X _ —>• delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —>• delay (node (process+ fl 
(X _ —>■ lab (setSegm ta segl blocked)) 

(X _ —>• TRAINLEAVE ta segl sigl) fO efqi fO efqi 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNai 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efqi fO efqi 
"(tbseglblocked -> TRAINLEAVEtbseglsig2)" Using 
(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) Using 


a 


o 




916 

o- 


A. 121. trainExampleCorrectedOptimized3ProofNonRefl.agda 
-o 


(X str str’ —>■ strAppend str (strAppend " [ I I ]" str’)) , 

(X a str —» strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (nth [] t ))) zero 
(tnode (terc t )))))) mm’ () 

noTraceBadSignal m .(renamelnSystem (Lab (((fmap+ d±l'c->c (fmap+ cl±l’c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ SIGCTL sigl) fO efqi fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ cW’c->c (process+ fl 

(X —y lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —> lab (setSig tb sigl green)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ d±J'c->c (fmap+ cl±l’c->c (proce 
(X _ —> lab (setSig ta sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —> lab (setSig ta sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cW’c->c (process+ fl 

(X —y lab (setSig tb sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efq x 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —» strAppend "fmap (" (strAppend str ")"))) |j|wNam++ fmap+ 0l±)0->0 (fmapWi 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l'c->c (fmap+ inj 2 (fmap- 
(X _ —)■ lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efq x fO efqi 
"(taseglfree -> SEGCTLseglfree)" □+ process+ fl 
(X _ —> lab (setSegm ta segl blocked)) 

(X —> SEGCTL segl blocked) fO efqi fO efqi 
" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cthl'c->c (process+ fl 
(X _ —> lab (setSegm tb segl free)) 

(X _ —t- SEGCTL segl free) fO efqi fO efqi 
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"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")"))) [ 

(X x —v true) ]||wl\lam+[ 

(X x —y true) ] process+ fl 

(X _ —y lab (getSegm ta segl free)) 

(X _ —y delay (node (process+ fl 
(X _ —y lab (setSig ta sigl green)) 

(X _ —y delay (node (process+ fl 
(X _ —y lab (setSegm ta segl blocked)) 

(X —y TRAIN LEAVE ta segl sigl) fO efqi fO efqi 

" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNa 

(X —y lab (setSig tb sig2 green)) 

(X _ —y delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —y TRAINLEAVE tb segl sig2) fO efqi fO efqi 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
"(tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))" Using 
(X str str’ —y strAppend str (strAppend " III " str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —y strAppend str (strAppend " [| |]" str’)) , 

(X a str —y strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: li) 

(tnode (intc .(renamelnSystem (Lab (((fmap+ cl±l'c->c (fmap+ cl±l'c->c (process+ fl 
(X _ —} lab (setSig ta sigl red)) 

(X _ —} SIGCTL sigl) fO efqi fO efqi 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —} lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±l'c->c (process+ fl 
(X _ —} lab (setSig tb sigl red)) 

(X _ —y SIGCTL sigl) fO efqi fO efqi 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(X —y lab (setSig tb sigl green)) 
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(X —} SIGCTL sigl) fO efq x fO efqi 

" (tbsiglgreen -> SIGCTLsigl) ")) |||wNam++ fmap+ cl±)’c->c (fmap+ cl±)’c->c (proce 

(X —} lab (setSig ta sig2 red)) 

(X _ — SIGCTL sig2) fO efq x fO efq x 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —} lab (setSig ta sig2 green)) 

(X —} SIGCTL sig2) fO efq x fO efq x 

" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±l’c->c (process+ fl 

(X —} lab (setSig tb sig2 red)) 

(X _ SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —} lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efq x fO efq x 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str —} strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±)0->0 (fmapWi 
(X str-t strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 
(X _ —> lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —} lab (setSegm ta segl blocked)) 

(X —} SEGCTL segl blocked) fO efqi fO efq x 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±l'c->c (process+ fl 
(X _ -} lab (setSegm tb segl free)) 

(X —> SEGCTL segl free) fO efq x fO efq x 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —} lab (setSegm tb segl blocked)) 

(X —} SEGCTL segl blocked) fO efq x fO efq x 

" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —} strAppend str (strAppend " III " str’)) , 

(X a str—} strAppend "fmap (" (strAppend str ")")) , 

(X a str—} strAppend "fmap (" (strAppend str ")"))) [ 

(X x —} true) ]||wl\lam+[ 

(X x —} true) ] process+ fl 

(X _ —> lab (getSegm ta segl free)) 

(X _ —> delay (node (process+ fl 

(X —} lab (setSig ta sigl green)) 

(X _ —> delay (node (process+ fl 

(X —} lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efq x fO efq x 


a 
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" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl) )"))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)))" |||wNa 
(A _ —>• lab (setSig tb sig2 green)) 

(A _ —>■ delay (node (process+ fl 
(A _ —> lab (setSegm tb segl blocked)) 

(A _ —> TRAINLEAVE tb segl sig2) fO efq x fO efq x 
" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))" Using 
(A str str’ —>• strAppend str (strAppend " III " str ’)) , 

(A a str —» strAppend "fmap (" (strAppend str ")")) , 

(A a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(A str str’ —* strAppend str (strAppend " [| |]" str’)) , 

(A a str —>• strAppend "fmap (" (strAppend str ")")) , 

(A a str —>• strAppend "fmap (" (strAppend str ")"))) (projSubset (nth [] _))) :: 4) .m (sue zero) 

(tnode (extc 4 .m (sue ()) tr)))) mm’ 11’ 
noTraceBadSignal m l 
(tnode (intc .1 .m (sue zero) 

(tnode (intc .1 .m 0 tr)))) mm’ll’ 

noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ cl±l'c->c (process+ fl 
(A _ —y lab (setSig ta sigl red)) 

(A —> SIGCTL sigl) fO efq x fO efq x 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 
(A _ —>• lab (setSig ta sigl green)) 

(A _ —> SIGCTL sigl) fO efq x fO efq x 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ cl±l’c->c (process+ fl 
(A _ —> lab (setSig tb sigl red)) 

(A _ —>• SIGCTL sigl) fO efqx fO efq x 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 
(A _ —> lab (setSig tb sigl green)) 

(A _ —y SIGCTL sigl) fO efqx fO efqx 

" (tbsiglgreen -> SIGCTLsigl)")) |||wNam++ fmap+ c(±J’c->c (fmap+ cl±)’c->c (process+ fl 
(A _ —>■ lab (setSig ta sig2 red)) 

(A _ —>• SIGCTL sig2) fO efq x fO efq x 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(A _ —> lab (setSig ta sig2 green)) 

(A _ —y SIGCTL sig2) fO efqx fO efq x 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±)'c->c (process+ fl 
(A _ —y lab (setSig tb sig2 red)) 

(A _ —>• SIGCTL sig2) fO efq x fO efq x 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 


a 
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(X —y lab (setSig tb sig2 green)) 

(X _ —y SIGCTL sig2) fO efq x fO efq x 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 0l±l0->0 (fmapWi 
(X str —» strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±l’c->c (fmap+ inj 2 (fmap- 
(X _ —>• lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efq x fO efq x 
"(taseglfree -> SEGCTLseglfree)" □ + process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efq x fO efq x 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)’c->c (process+ fl 

(X —y lab (setSegm tb segl free)) 

(X _ —> SEGCTL segl free) fO efq x fO efq x 
"(tbseglfree -> SEGCTLseglfree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —)■ strAppend "fmap (" (strAppend str ")"))) [ 

(X x —> true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X _ —> lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X _ —»• lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
"(taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)) "))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 
(X _ —>■ lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X _ —> lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efq x fO efq x 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str strAppend "fmap (" (strAppend str ")")) , 


o 
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(X a str —> strAppend "fmap (" (strAppend str ")")) Using 
(X str str’ —>■ strAppend str (strAppend " [| |]" str’)) , 

(X a str —> strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (nth [] t))) .[] 

(tnode (intc .[] .(just (PT (((fmap+ cl±l’c->c (fmap+ cl±)’c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

"(tasiglred -> SIGCTLsigl)" □+ process+ fl 
(X _ —>• lab (setSig ta sigl green)) 

(X _ —> SIGCTL sigl) fO efq! fO efqi 
" (tasiglgreen -> SIGCTLsigl)") □+ fmap+ d±)'c->c (process+ fl 
(X _ —>■ lab (setSig tb sigl red)) 

(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X —> SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cl±l’c->c (fmap+ ctfcl'c->c (process+ fl 
(X _ —> lab (setSig ta sig2 red)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2red -> SIGCTLsig2)" □+ process+ fl 
(X _ —>■ lab (setSig ta sig2 green)) 

(X —> SIGCTL sig2) fO efqi fO efqi 

" (tasig2green -> SIGCTLsig2) ") □+ fmap+ d±l’c->c (processT fl 

(X —^ lab (setSig tb sig2 red)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig tb sig2 green)) 

(X _ —> SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —>• strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) j|jwNam++ fmap+ 0l±l0->0 (fmapWithName- 
(X str —> strAppend "fmap (" (strAppend str ")")) inji (fmap+ cl±)’c->c (fmap+ inj 2 (fmap+ ctd'c-' 
(X _ —>■ lab (setSegm ta segl free)) 

(X _ —> SEGCTL segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —> lab (setSegm ta segl blocked)) 

(X —> SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cW'c->c (process+ fl 
(X _ —> lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 
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"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efq x fO efq x 
" (tbseglblocked -> SEGCTLseglblocked) ")))))) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —* true) ]||wNam+[ 

(X x —> true) ] process+ fl 

(X —y lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X _ —> TRAINLEAVE ta segl sigl) fO efq x fO efq x 
" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efq x fO efq x 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)) "))) fO efq x fO efq x 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 
(X _ —> lab (setSig tb sig2 green)) 

(X —y delay (node (process+ fl 

(X —y lab (setSegm tb segl blocked)) 

(X _ —> TRAINLEAVE tb segl sig2) fO efq x fO efq x 
"(tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efq x fO efq x 
"(tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))" Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ —> strAppend str (strAppend " [ I I ]" str’)) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) (nth [] t))) (sue zero) 

(tnode (terc f)))) mm’ () 
noTraceBadSignal m l 

(tnode (intc .1 .m (sue (sue ())) tr)) mm’ IV 
noTraceBadSignal .(just (PT (((fmap+ cl±l'c->c (fmap+ cl±l'c->c (process+ fl 

(X —y lab (setSig ta sigl red)) 

(X _ —y SIGCTL sigl) fO efq x fO efq x 
" (tasiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig ta sigl green)) 

(X _ —y SIGCTL sigl) fO efq x fO efq x 
"(tasiglgreen -> SIGCTLsigl)") □+ fmap+ cttl'c->c (process+ fl 
(X —y lab (setSig tb sigl red)) 
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(X _ —> SIGCTL sigl) fO efqi fO efqi 
" (tbsiglred -> SIGCTLsigl)" □+ process+ fl 

(X —y lab (setSig tb sigl green)) 

(X —y SIGCTL sigl) fO efqi fO efqi 

" (tbsiglgreen -> SIGCTLsigl)")) |||wl\lam++ fmap+ cl±l’c->c (fmap+ cl±l’c->c (process+ fl 

(X —^ lab (setSig ta sig2 red)) 

(X —y SIGCTL sig2) fO efq! fO efqi 

"(tasig2red -> SIGCTLsig2)" □+ process+ fl 

(X —y lab (setSig ta sig2 green)) 

(X _ —y SIGCTL sig2) fO efqi fO efqi 
" (tasig2green -> SIGCTLsig2) ") □+ fmap+ cl±)’c->c (process+ fl 
(X _ —>■ lab (setSig tb sig2 red)) 

(X —y SIGCTL sig2) fO efqi fO efqi 

" (tbsig2red -> SIGCTLsig2)" □+ process+ fl 

(X —^ lab (setSig tb sig2 green)) 

(X _ —>■ SIGCTL sig2) fO efqi fO efqi 
" (tbsig2green -> SIGCTLsig2) ")) Using 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —> strAppend "fmap (" (strAppend str ")"))) |||wl\lam++ fmap+ 01 ±) 0->0 (fmap+ ct±J’c->c 
(X _ —>■ lab (getSegm ta segl free)) 

(X _ —> SEGCTL1 segl free) fO efqi fO efqi 
"(taseglfree -> SEGCTLlseglfree)" □ + process+ fl 

(X —y lab (getSegm tb segl free)) 

(X _ —> SEGCTL1 segl free) fO efq x fO efqi 

"(tbseglfree -> SEGCTLlseglfree)") DwNam+ fmap+ cl±J’c->c (fmap+ cl±)’c->c (process+ fl 

(X —y lab (setSegm ta segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(taseglfree -> SEGCTLseglf ree)" □+ process+ fl 

(X —y lab (setSegm ta segl blocked)) 

(X —y SEGCTL segl blocked) fO efqi fO efqi 

" (taseglblocked -> SEGCTLseglblocked) ") □+ fmap+ cl±)'c->c (process+ fl 
(X _ —>■ lab (setSegm tb segl free)) 

(X —y SEGCTL segl free) fO efqi fO efqi 

"(tbseglfree -> SEGCTLseglf ree)" □+ process+ fl 
(X _ —>■ lab (setSegm tb segl blocked)) 

(X _ —> SEGCTL segl blocked) fO efqi fO efqi 
"(tbseglblocked -> SEGCTLseglblocked)")) Using 
(X str str’ —> strAppend str (strAppend " □ " str’)) , 

(X str —>■ strAppend "fmap (" (strAppend str ")")) , 

(X str —>• strAppend "fmap (" (strAppend str")"))) Using 


a 
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(X str str’ —>■ strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")"))) [ 

(X x —» true) ]||wl\lam+[ 

(X x —> true) ] process+ fl 

(X _ —>• lab (getSegm ta segl free)) 

(X —y delay (node (process+ fl 

(X —y lab (setSig ta sigl green)) 

(X —y delay (node (process+ fl 

(X _ —>■ lab (setSegm ta segl blocked)) 

(X —y TRAINLEAVE ta segl sigl) fO efqi fO efqi 

" (taseglblocked -> TRAINLEAVEtaseglsigl) "))) fO efqi fO efqi 
" (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl)) "))) fO efqi fO efqi 
"(taseglfree -> (tasiglgreen -> (taseglblocked -> TRAINLEAVEtaseglsigl))) 
(X _ —> lab (getSegm tb segl free)) 

(X —y delay (node (process+ fl 

(X _ —>• lab (setSig tb sig2 green)) 

(X _ —> delay (node (process+ fl 
(X _ —>• lab (setSegm tb segl blocked)) 

(X —y TRAINLEAVE tb segl sig2) fO efqi fO efqi 

" (tbseglblocked -> TRAINLEAVEtbseglsig2) "))) fO efqi fO efqi 
" (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2)) "))) fO efqi fO efqi 
"(tbseglfree -> (tbsig2green -> (tbseglblocked -> TRAINLEAVEtbseglsig2))) 
(X str str’ —> strAppend str (strAppend " III " str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) Using 

(X str str’ — * strAppend str (strAppend " [| |]" str’)) , 

(X a str —>• strAppend "fmap (" (strAppend str ")")) , 

(X a str —>■ strAppend "fmap (" (strAppend str ")"))) (nth [] ())) .[] 

(tnode (terc t)) mm’ () 


badSignal : (OPTIMIZED-SYSTEM Ccx) BADSIGNALS) 
badSignal x = noTraceBadSignal nothing badTraceLabels 
(x badTraceLabels nothing badTraceBadSignal) 
refl refl 


o 
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A. 122 trainExampleCorrectedOptimized3ProofNonRefCutI 


--@PREFIX@traceCorrectedSystem 

module trainExampleCorrectedOptimized3ProofNonRefinementCutDown where 
--module trainExample where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


7 

mport Data.Bool hiding (-=-) 
mport Data.Sum 
mport Data.Unit 

mport Relation. Binary. Propositional Equality 

7 

mport Data.Bool.Base renaming (T to T’) hiding (_=_) 

mport libBool 

mport dataAuxFunction 

mport process 

mport libList 

mport Data.String 

mport Data.Maybe 

mport Data.String renaming (-==- to ==strb ; _+-1-_ to _+- bs_) 

mport Data.List renaming (_++_ to _++L ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 

mport preFix 

mport simulator 

mport NativelO 

mport SizedlO.Console hiding (main) 
mport externalChoice 
mport Data.Fin 


7 

open import Data.Nat hiding (_=_) 
open import parallelSimple 
open import interleave 
open import auxData 
open import hidingOperator 
open import renamingOperator 
{- needed possibly for compilation-}- 


o- 


o 
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open import SizedlO.Base 

open import renamingResult 

open import dataAuxFunction hiding (- 1 ) 

open import Relation.Nullary.Decidable 

open import Data.String 

open import UnitModule 

open import Data.Empty 

open import trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTEM 

open import trainExampleCorrected 

open import TraceWithoutSize 

open import RefWithoutSize 

-- open import dataAuxFunction 

open import choiceSetl)Optimized3 

open import process20ptimizedProcess3 

open import trainExampleCorrectedOptimized3 

postulate TODO : {A : Set} —» A 

--@BEGIN@badTrace 

badTraceLabels : List (Label labelTrains) 

badTraceLabels = lab (setSigs sigl green) :: lab (setSigs sig2 green) :: [] 

badTraceBadSignal : Troo {labelTrains} badTraceLabels nothing BADSIGNALS 
badTraceBadSignal = tnode (extc (lab (setSigs sig2 green) :: []) nothing ( inj x zero) 

(tnode (extc [] nothing zero 
(tnode empty)))) 

noTraceBadSignal : (m : Maybe (ChoiceSet (0’ x’ 0' x’ 0’ x’ (0’ x’ 0’)))) 

(l : List (Label labelTrains)) 

(tr : Troo {labelTrains} l m OPTIMIZED-SYSTEM) 

(mm ’: m = nothing) 

(IV : l = badTraceLabels) 

->■ _L 

noTraceBadSignal = -- Proof Omitted in thesis, 

-- available in the CSP-Agda repository 

--0HIDE-BEG 

TODO 

--0HIDE-END 

badSignalProof : (OPTIMIZED-SYSTEM Coo BADSIGNALS) 


o 


-o 
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badSignalProof x = noTraceBadSignal nothing badTraceLabels 
(x badTraceLabels nothing badTraceBadSignal) 
refl refl 
--(SEND 


A. 123 trainExampleOptimized3.agda 


--@PREFIX@trainExampleOptimizedThree 
module trainExampleOptimized3 where 


open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 
open 
open 
open 
open 
open 
open 
open 
o- 


7 

mport Data.Bool hiding (_=_) 
mport Data.Sum 

7 

mport Data.Bool.Base renaming (T to T’) hiding (_=_) 
mport libBool 
mport libList 
mport Data.String 

mport Data.String renaming (_==_ to ==strb ; _++_ to _+- |-s_) 

mport Data.List renaming (_++_ to _++l_ ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 

mport preFix 

mport simulator 

mport NativelO 

mport SizedlO.Console hiding (main) 
mport externalChoice 
mport Data.Fin 

mport Data.Nat hiding (_=_) 

mport parallelSimple 

mport interleave 

mport hidingOperator 

mport renamingOperator 

mport SizedlO.Base 

mport renamingResult 

mport dataAuxFunction hiding (test) 


-o 
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open import Relation.Nullary.Decidable 
open import Data.String 
open import UnitModule 

open import trainExample hiding (SEGCTL1 ; SEGCTL2 ; SEGCTL ; SYSTEMpl ; SYSTEMp2 

SYSTEM ; SYSTEMSHIDE ; 

SYSTEM-SIGONLY ; main ; TRAINENTER ; TRAINLEAVE; 
open import trainExample hiding (main) 
open import choiceSetU0ptimized3 
open import process20ptimizedProcess3 

OPTIMIZED-SYSTEM : Processoo oo (0' x’ 0' x' 0' x’ (0' x' 0')) 

OPTIMIZED-SYSTEM = optmizedProcessoo oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0’)) SYSTEM-SIG01 


main : NativelO Unit 

main = compile OPTIMIZED-SYSTEM 

test : Process oo (0’ x’ 0’ x’ 0’ x’ (0’ x’ 0')) 
test = forcep OPTIMIZED-SYSTEM {oo} 

testl : Choice 
testl = Ep test 

test2 : Choice 
test2 = Ip test 

test3 : Choice 
test3 = Tp test 


A. 124 trainExampleOptimized3ProofRefinement.agda 


--@PREFIX@trainExampleOptimizedThreeProofRefinement 
module trainExampleOptimized3ProofRefinement where 

7 

open import Data.Bool hiding (_=_) 
open import Data.Sum 
open import Data.Maybe 


o 


-o 
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open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 

open 


? 

mport Data.Bool.Base renaming (T to T’) hiding (_=_) 

mport libBool 

mport auxData 

mport libList 

mport Data.String 

mport Data.String renaming (_==_ to _==strb_; _++_ to _++s_) 

mport Data.List renaming (_++_ to _++l_ ; map to mapL) 

mport labelUniv 

mport Size 

mport process 

mport choiceSetU 

mport choiceFromList 

mport preFix 

mport simulator 

mport NativelO 

mport SizedlO.Console hiding (main) 
mport externalChoice 
mport Data.Fin 

7 

mport Data.Nat hiding (-=-) 

mport parallelSimple 

mport choiceSetU 

mport interleave 

mport hidingOperator 

mport renamingOperator 

mport primitiveProcess 

mport TraceWithoutSize 

mport RefWithoutSize 

mport SizedlO.Base 

mport renamingResult 

mport dataAuxFunction 

mport Relation.Nullary.Decidable 

mport Data.String 

mport UnitModule 

mport trainExample 

mport trainExampleOptimized3 


badSignal : OPTIMIZED-SYSTEM Coo BADSIGNALS 
badSignal .[] .nothing (tnode empty) = tnode empty 
badSignal .(lab (setSigs sigl green) :: []) 

.nothing (tnode (extc .[] .nothing (i nj x zero) 


a 
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(tnode empty))) = tnode (intc (lab (setSigs sigl green) :: []) nothing zero 
(tnode (extc [] nothing zero 
(tnode empty)))) 

-- trace is lab (setSigs sigl green) :: [] ; nothing 
badSignal .(lab (setSigs sigl green) :: lab (setSigs sig2 green) :: []) 

.nothing (tnode (extc .(lab (setSigs sig2 green) :: []) 

.nothing (injx zero) (tnode (extc .[] .nothing zero (tnode empty))))) = 
tnode (intc (lab (setSigs sigl green) :: lab (setSigs sig2 green) :: []) nothing zero 
(tnode (extc (lab (setSigs sig2 green) :: []) nothing zero 
(tnode (intc (lab (setSigs sig2 green) :: []) nothing zero 
(tnode (extc [] nothing zero 
(tnode empty)))))))) 

-- trace is (lab (setSigs sigl green) :: lab (setSigs sig2 green) :: []) ; notl 
badSignal .(lab (setSigs sigl green) :: lab (setSigs sig2 green) :: efq _ :: 4) rn 
(tnode (extc .(lab (setSigs sig2 green) :: efq _ :: 4) 

.m (inji zero) (tnode (extc .(efq _ :: 4) -fn zero (tnode (extc 4 -fn 0 *■)))))) 
badSignal .(lab (setSigs sigl green) :: lab (setSigs sig2 green) :: l) m 
(tnode (extc .(lab (setSigs sig2 green) :: l) .m (injx zero) 

(tnode (extc l .m zero (tnode (intc .1 .m 0 tr)))))) 
badSignal .(lab (setSigs sigl green) :: lab (setSigs sig2 green) :: []) 

.(just (efq0W0 (injx (efq -)))) (tnode (extc .(lab (setSigs sig2 green) :: []) 

.(just (efq0l±)0 (injx (efq )))) (injx zero) (tnode (extc .[] .(just (efq0l±)0 (injx (efq ))] 

badSignal .(lab (setSigs sigl green) :: lab (setSigs sig2 green) :: l) m 

(tnode (extc .(lab (setSigs sig2 green) :: /) .m (injx zero) (tnode (extc l .m (sue ()) 
badSignal .(lab (setSigs sigl green) :: 4) m (tnode (extc 4 -fn (injx zero) (tnode (intc .4 -m () 
badSignal .(lab (setSigs sigl green) :: []) .(just (efq0l±l0 (injx (efq _)))) 

(tnode (extc .[] .(just (efq0l±)0 (injx (efq _)))) (injx zero) (tnode (terc ())))) 
badSignal .(lab (setSigs sigl green) :: 4) fn (tnode (extc 4 -fn (injx (sue ())) tr)) 

badSignal .(lab (setSigs sig2 green) :: []) .nothing (tnode (extc .[] .nothing (inj 2 zero) (tnode em 

tnode (intc (lab (setSigs sig2 green) :: []) nothing (sue zero) 

(tnode (extc [] nothing zero 
(tnode empty)))) 

-- trace is lab (setSigs sig2 green) :: [] ; nothing 
badSignal .(lab (setSigs sig2 green) :: lab (setSigs sigl green) :: []) .nothing 

(tnode (extc .(lab (setSigs sigl green) :: []) .nothing (inj 2 zero) (tnode (extc .[] .not 
tnode (intc (lab (setSigs sig2 green) :: lab (setSigs sigl green) :: []) nothing (sue zero) 

(tnode (extc (lab (setSigs sigl green) :: []) nothing zero 
(tnode (intc (lab (setSigs sigl green) :: []) nothing zero 
(tnode (extc [] nothing zero 
(tnode empty)))))))) 

-- trace is 


o- 


-o 
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-- lab (setSigs sig2 green) :: lab (setSigs sigl green) :: [] ; nothing 
badSignal .(lab (setSigs sig2 green) :: lab (setSigs sigl green) :: efq _ :: 4) m 
(tnode (extc .(lab (setSigs sigl green) :: efq _ :: 4) -fn (inj 2 zero) 

(tnode (extc .(efq _ :: 4) -fn zero (tnode (extc 4 -m 0 *)))))) 
badSignal .(lab (setSigs sig2 green) :: lab (setSigs sigl green) :: l) m 

(tnode (extc .(lab (setSigs sigl green) :: 1) .m (inj 2 zero) (tnode (extc l .m zero (tnode (intc 
badSignal .(lab (setSigs sig2 green) :: lab (setSigs sigl green) :: []) 

.(just (efq0l±l0 (inj 2 (efq _)))) (tnode (extc .(lab (setSigs sigl green) :: []) 

.(just (efq0l±l0 (inj 2 (efq _)))) (inj 2 zero) (tnode (extc .[] .(just (efq0l±)0 (inj 2 (efq _)))) zero (t 

badSignal .(lab (setSigs sig2 green) :: lab (setSigs sigl green) :: l) nn 

(tnode (extc .(lab (setSigs sigl green) :: /) .m (inj 2 zero) (tnode (extc l .m (sue ()) tr)))) 
badSignal .(lab (setSigs sig2 green) :: 4) m (tnode (extc 4 -fn (inj 2 zero) (tnode (intc .4 -vn 0 tr)))) 

badSignal .(lab (setSigs sig2 green) :: []) .(just (efq0l±)0 (inj 2 (efq _)))) 

(tnode (extc .[] .(just (efq0l±)0 (inj 2 (efq _)))) (inj 2 zero) (tnode (terc ())))) 
badSignal .(lab (setSigs sig2 green) :: 4) m (tnode (extc 4 -fn (inj 2 (sue ())) tr)) 
badSignal l m (tnode (intc .1 .m (inji ()) tr)) 

badSignal l m (tnode (intc .1 .m (inj 2 ()) tr)) 

badSignal .[] .(just (efq0l±)0 (i nj x (efq _)))) (tnode (terc (inj x ()))) 

badSignal .[] .(just (efq0l±)0 (inj 2 (efq _)))) (tnode (terc (inj 2 ()))) 


A. 125 trainExampleOptimized3ProofRefCutDownForPaper 


--@PREFIX@trainExampleOptimizedThreeProofRefinementCutDownForPaper 
module trainExampleOptimized3ProofRefinementCutDownForPaper where 


open 

import 

7 

Data.Bool hiding (_=_) 



open 

import 

Data.Sum 



open 

import 

Data.Maybe 



open 

import 

Data.Bool.Base renaming 

'T to T’) hiding (_ 

-=-) 

open 

import 

libBool 



open 

import 

auxData 



open 

import 

libList 



open 

import 

Data.String 



open 

import 

Data.String renaming (_= 

= to ==strb ; 

_++_ to 

open 

import 

Data.List renaming (_++_ 

_ to _++!_ ; map 

to mapL) 

open 

import 

labelllniv 



open 

o- 

import 

Size 
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open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 

open 

import 


process 

choiceSetl) 

choiceFromList 

preFix 

simulator 

NativelO 

SizedlO.Console hiding (main) 

externalChoice 

Data.Fin 

Data.Nat hiding (-=-) 

para llelSim pie 

choiceSetl) 

interleave 

hidingOperator 

renamingOperator 

primitiveProcess 

TraceWithoutSize 

RefWithoutSize 

SizedlO.Base 

renamingResult 

dataAuxFunction 

Relation. Nullary. Decidable 

Data.String 

UnitModule 

trainExample 

trainExampleOptimized3 


postulate TODO : {A : Set} —» A 


--@BEGIN@badsignal 

badSignal : OPTIMIZED-SYSTEM Coo BADSIGNALS 
badSignal = -- Proof Omitted in thesis, 

-- available in the CSP-Agda repository 

--SEND 

TODO 


A.126 UnitModule.agda 


module UnitModule where 


o- 


-o 
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record Unit : Set where 
constructor unit 

{-# COMPILE GHC Unit = data () (()) #-} 


a 


o 





